DAEMON Tools Supply Chain Attack Deploys QUIC RAT Backdoor

Hackers compromised the official DAEMON Tools distribution infrastructure and trojanized installers for versions 12.5.0.2421 through 12.5.0.2434, delivering a multi-stage backdoor to thousands of systems across more than 100 countries since April 8, 2026. Kaspersky researchers discovered that the infected binaries carry valid digital certificates from the software's developer AVB Disc Soft, causing most endpoint security products to treat them as trusted software.

DAEMON Tools Supply Chain Attack: Technical Details

DAEMON Tools is a widely used Windows utility for mounting virtual drives and disc images. A supply chain attack (a compromise targeting a software vendor's build pipeline or distribution infrastructure rather than end users directly) is particularly dangerous because the malicious installer arrives via the vendor's own official website, signed with the vendor's legitimate code-signing certificate. Standard endpoint controls that block untrusted executables offer no protection.

Kaspersky's full analysis shows attackers registered the command-and-control (C2 — the attacker-controlled server that receives stolen data and issues commands to infected machines) domain daemontools[.]cc on March 27, 2026, approximately 12 days before the first poisoned installer appeared. Malicious code was injected into three binaries shipped with affected versions:

• DTHelper.exe
• DiscSoftBusServiceLite.exe
• DTShellHlp.exe

On execution, the trojanized binaries send a GET request to env-check.daemontools[.]cc/2032716822411?s=<computer_name>. The C2 server responds with PowerShell commands instructing the host to download subsequent payloads from attacker infrastructure at 38.180.107[.]76.

Three-Stage Payload Architecture

The attackers use a deliberate three-stage delivery chain designed to profile victims before deploying high-risk tools:

Stage 1 — Information Collector (envchk.exe): An initial reconnaissance payload that harvests the victim's MAC address, hostname, running processes, installed software list, and system locale. This data is transmitted via HTTP POST to the attacker's infrastructure for triage. Only victims deemed high value receive follow-on payloads.

Stage 2 — Minimalistic Backdoor: A shellcode implant (self-contained machine code that runs directly in memory without an executable file on disk) delivered to beaconing victims. The shellcode is RC4-encrypted (RC4 is a symmetric stream cipher frequently used by malware authors to hide payloads from static antivirus signatures) and supports file downloads, command execution, and in-memory payload injection.

Stage 3 — QUIC RAT: An advanced C++ remote access trojan (RAT — malware granting an attacker full interactive remote control of the infected host) deployed selectively to approximately 12 high-value targets. QUIC RAT supports HTTP, UDP, TCP, WebSocket (WSS), QUIC (the modern transport protocol underlying HTTP/3), DNS tunneling, and HTTP/3 — an unusually broad set of C2 channels that makes network-level blocking extremely difficult. The implant also performs process injection, hiding itself inside legitimate Windows system processes to evade behavioral detection.

Exploitation Status and Threat Landscape

The attack was active from April 8, 2026, through at least the date of Kaspersky's disclosure. Infection attempts reached thousands of machines in over 100 countries. Countries with the highest infection counts are Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Advanced Stage 3 payloads were reserved for roughly 12 machines — confirmed targets in government, scientific research, manufacturing, and retail sectors located in Russia, Belarus, and Thailand. This two-tier approach — broad first-stage compromise, surgical escalation — is consistent with state-sponsored cyber espionage: cast a wide net for initial access, then invest advanced tools only in the highest-value targets.

TechCrunch reports that Kaspersky identifies Chinese-language strings embedded in the Stage 1 information collector, suggesting involvement of a Chinese-speaking threat actor. Kaspersky has not made a definitive attribution, and language artifacts alone cannot confirm state sponsorship or identify a specific group. The campaign remains unattributed as of this writing.

Who Is Affected

Any Windows system that downloaded and installed DAEMON Tools Lite between April 8, 2026, and the date the vendor confirmed a clean distribution is potentially compromised. Specifically, versions 12.5.0.2421 through 12.5.0.2434 contain malicious code in the three named binaries.

The infection spans consumer users, enterprises, and research organizations globally. Organizations in government, defense, research, and manufacturing should treat any system running affected versions as compromised until a forensic investigation confirms otherwise. The signed installers mean standard reputation-based security controls will not have flagged the installation.

What You Should Do Right Now

• Identify all systems running affected versions (12.5.0.2421–12.5.0.2434). Use your software asset inventory, SCCM/Intune device inventory, or the PowerShell command below.
• Search network logs immediately for outbound DNS queries to daemontools[.]cc and HTTP connections to 38.180.107[.]76. Any match confirms first-stage compromise.
• Hunt for Stage 1 artifact envchk.exe in temp directories (%TEMP%, C:\Windows\Temp) and examine PowerShell execution logs for downloads from 38.180.107[.]76.
• Isolate confirmed-compromised hosts from the network and initiate full incident response. Assume credentials harvested from all running processes and credential stores.
• Rotate all credentials (Active Directory, VPN, cloud services, SSH keys, API tokens) accessible from any affected machine.
• Uninstall affected DAEMON Tools versions and reinstall only after the vendor (AVB Disc Soft) confirms the distribution infrastructure is clean and issues a verified clean build.

Detection query — find affected DAEMON Tools installations (PowerShell):

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Where-Object { $_.DisplayName -like "*DAEMON*" } |
  Select-Object DisplayName, DisplayVersion, InstallDate

Versions between 12.5.0.2421 and 12.5.0.2434 in the output require immediate investigation.

Background: Understanding the Risk

Supply chain attacks against software distributors represent one of the hardest threat classes to defend against because the attack arrives via a trusted, legitimate channel. Unlike phishing (which requires deceiving a user) or exploit kits (which require an unpatched vulnerability), a trojanized official installer defeats nearly every perimeter and endpoint control that relies on vendor trust.

The DAEMON Tools attack is structurally similar to the SolarWinds compromise of 2020, the 3CX supply chain attack of 2023, and the XZ Utils backdoor discovered in March 2024. Each followed the same pattern: gain access to build or distribution infrastructure, inject code, leverage the vendor's legitimacy as a delivery mechanism.

What distinguishes this attack is the disciplined use of victim profiling before committing advanced tools. By collecting system metadata in Stage 1 before deploying the more detectable QUIC RAT, the attackers limit exposure of their most sophisticated capabilities. This keeps detection timelines long and makes forensics harder, since most victims have only the generic Stage 2 implant — which is harder to attribute and less likely to trigger high-confidence detections.

The multi-protocol architecture of QUIC RAT — particularly its support for DNS tunneling and QUIC/HTTP/3 — reflects an explicit evasion strategy. Most enterprise firewalls allow DNS and are not configured to deep-inspect QUIC traffic, a relatively new transport protocol gaining ground as HTTP/3 adoption grows. Attackers designing for these channels expect defenders to block standard HTTPS-based C2 but have not yet updated controls for next-generation transport layers.

The geographic targeting of government, research, and manufacturing in Russia, Belarus, and Thailand for Stage 3 deployment raises questions about the operator's primary intelligence objectives — though these remain speculative in the absence of firm attribution.

Conclusion

Organizations with DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 installed should treat affected machines as compromised until forensic investigation proves otherwise. Audit now, search network logs for the C2 indicators above, and rotate credentials on any confirmed-infected host. The signed certificates and multi-protocol C2 architecture mean passive monitoring and standard antivirus will not catch this — active hunting is required.