Supply Chain Compromise Affecting Daemon Tools Distribution Channel
A supply chain compromise involving Daemon Tools installers distributed via the official vendor website has been identified. The attackers used valid code-signing certificates to make the trojanized installers appear legitimate and bypass security controls. These malicious packages deploy a backdoor that performs system reconnaissance, environment verification, and communicates with attacker-controlled command-and-control infrastructure. The compromise leverages trusted software delivery mechanisms to evade detection, establish persistent access, and enable remote command execution. Organizations should block related malicious infrastructure, hunt for suspicious Daemon Tools installations and network activity, verify software integrity, and implement application allowlisting. Monitoring for unusual certificate usage in software deployment is also advised. No patch or official fix information is available, and no known exploits in the wild have been reported.
AI Analysis
Technical Summary
This threat involves a supply chain attack targeting the Daemon Tools distribution channel, where trojanized installers signed with valid certificates were distributed through the official vendor website. The malicious installers deploy a backdoor capable of system reconnaissance, environment checks, and command-and-control communication with infrastructure such as env-check.daemontools[.]cc. By abusing trusted code-signing and software delivery mechanisms, the attackers evade detection and maintain persistent remote access with command execution capabilities. The attack highlights risks associated with compromised software supply chains and code-signing abuse.
Potential Impact
The impact includes potential unauthorized persistent access to affected systems via a backdoor, enabling attackers to perform system reconnaissance, verify the environment, and communicate with attacker infrastructure for remote command execution. This undermines trust in the software supply chain and can lead to further compromise of organizational networks. No confirmed exploitation in the wild has been reported, but the use of valid code-signing certificates increases the likelihood of successful evasion of security controls.
Mitigation Recommendations
No official patch or fix is currently documented. Organizations should block the identified malicious command-and-control infrastructure, conduct retrospective threat hunting for suspicious Daemon Tools installations and abnormal network connections, verify the integrity of Daemon Tools software before installation, implement application allowlisting to prevent execution of unauthorized software, and monitor for suspicious use of code-signing certificates in software deployment processes. These steps help mitigate risk until further vendor guidance or fixes are available.
Indicators of Compromise
- hash: 395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c
- hash: a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df
- hash: da1a51b7022d8e726de981fcdb364096e90a8134dd380f9d76c4c20fea701836
- hash: 12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8
- hash: 8c67ae3b4b8d30d13a8118701134d94e
- hash: a7f6308f3c7624a603e2242b19a0a8e7
- hash: f2bd550773af344661689e259ffb97ed
- hash: 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820
- hash: 15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29
- hash: 28b72576d67ae21d9587d782942628ea46dcc870
- hash: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4
- hash: 46b90bf370e60d61075d3472828fdc0b85ab0492
- hash: 50d47adb6dd45215c7cb4c68bae28b129ca09645
- hash: 524d2d92909eef80c406e87a0fc37d7bb4dadc14
- hash: 6325179f442e5b1a716580cd70dea644ac9ecd18
- hash: 64462f751788f529c1eb09023b26a47792ecdc54
- hash: 8e7eb0f5ac60dd3b4a9474d2544348c3bda48045
- hash: 9a09ad7b7e9ff7a465aa1150541e231189911afb
- hash: 9ccd769624de98eeeb12714ff1707ec4f5bf196d
- hash: 9dbfc23ebf36b3c0b56d2f93116abb32656c42e4
- hash: aea55e42c4436236278e5692d3dcbcbe5fe6ce0b
- hash: bd8fbb5e6842df8683163adbd6a36136164eac58
- hash: d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0
- ip: 38.180.107.76
- url: http://38.180.107.76/09505aca4f538bd
- hash: 60e623bb18867240a7db2b292e7ec6b4c3efbd4671080b7108bdb6cb1da7843c
- hash: f8599bec9a6e86aab534f6282e8b812d4997ecdf2f6064a4c0326c5e7771eb42
- hash: 0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212
- hash: 3ecf78b53704422cc4c00db624b0535f36835c985d1e0b8c3d0f3d846eae1a3a
- hash: e22024a58de56b3655d6be7e3b21703325a57e0dd920bd9611588f5e33bb5132
- hash: 626ba9c1913f775f45f5be6c8bc0e579d551ded4ec97fde1ef78662f2659929e
- hash: 427f1728682ebc7ffe3300fef67d0e3cb6b62948
- hash: 00e2df8f42d14072e4385e500d4669ec783aa517
- hash: 3a3e1af41c6706bcb5d9fbf9039cba96277286bd462641e3de262538ee4bd666
- hash: 70fb6c312529dcea7e7b2cd8fba198b5cae9fa8e3e4fe4da9f4d19997e24a00b
- hash: 44a79c7f38b31cacfa6e46d2ece79245d2434d00f2f33eb7de161c899342d9f5
- hash: 3212ea730397c6f5b11faffc1d05c243cb962ca487de17179ad4aedc4a10ae92
- hash: 9afc75e8477dbef6a38d81b0854e0789a4e5cd4439587d062250fc5aef69ca15
- hash: 295ce86226b933e7262c2ce4b36bdd6c389aaaef
- hash: 8d435918d304fc38d54b104a13f2e33e8e598c82
- hash: 3a1553153b4d192dd935c571457f44dd
- hash: 589f0705c7ed10716d5d4c6a881740cc
- hash: 647e91eb563af6e5962d50395e4e2b3c
- hash: 788cefa34466afd1470573ebbac50d98
- hash: 7a9335ed73fab541f5a414ec15e334d5
- hash: 9cbb03932dc71ca41c418d020b10b5ff
- hash: a920a32eff288e5b48c62d273defeada
- hash: d2c4c61684c26bee09782227f81b1c16
- hash: f209fbca69e9a25c2cdbfbd9c973ba9f
- hash: fd3602ef891dc6d53e42c310fa268826
- hash: 97dd013d448631be7e8059c3367a30bbc0d4712907e684bb2e2c0ab2de84cb0c
- hash: 13dd6de4a0b298b44637da2f948bd229
- hash: 36c697881561026c941ff7594077f564
- hash: 9635b50b5a3325ec0ef5f23f0e9cea7c
- hash: 9bb1cc315675e1a41492ef2d52ac160d
- hash: 0456e2f5f56ec8ed16078941248e7cbba9f1c8eb
- hash: 5a18c1bcf88bf495c4eaa72aa3f10c4a
- hash: 6167e8d07c72ded360cb644d803e6c94
- hash: 11d4e581521d81ab7daa1a490edf34d36cd92c4e44c427272af3122529e2a40c
- hash: 756d1dd5c2afb86906ed09ed8b883278f73b37538995ceb6987c65097042e6b4
Supply Chain Compromise Affecting Daemon Tools Distribution Channel
Description
A supply chain compromise involving Daemon Tools installers distributed via the official vendor website has been identified. The attackers used valid code-signing certificates to make the trojanized installers appear legitimate and bypass security controls. These malicious packages deploy a backdoor that performs system reconnaissance, environment verification, and communicates with attacker-controlled command-and-control infrastructure. The compromise leverages trusted software delivery mechanisms to evade detection, establish persistent access, and enable remote command execution. Organizations should block related malicious infrastructure, hunt for suspicious Daemon Tools installations and network activity, verify software integrity, and implement application allowlisting. Monitoring for unusual certificate usage in software deployment is also advised. No patch or official fix information is available, and no known exploits in the wild have been reported.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a supply chain attack targeting the Daemon Tools distribution channel, where trojanized installers signed with valid certificates were distributed through the official vendor website. The malicious installers deploy a backdoor capable of system reconnaissance, environment checks, and command-and-control communication with infrastructure such as env-check.daemontools[.]cc. By abusing trusted code-signing and software delivery mechanisms, the attackers evade detection and maintain persistent remote access with command execution capabilities. The attack highlights risks associated with compromised software supply chains and code-signing abuse.
Potential Impact
The impact includes potential unauthorized persistent access to affected systems via a backdoor, enabling attackers to perform system reconnaissance, verify the environment, and communicate with attacker infrastructure for remote command execution. This undermines trust in the software supply chain and can lead to further compromise of organizational networks. No confirmed exploitation in the wild has been reported, but the use of valid code-signing certificates increases the likelihood of successful evasion of security controls.
Mitigation Recommendations
No official patch or fix is currently documented. Organizations should block the identified malicious command-and-control infrastructure, conduct retrospective threat hunting for suspicious Daemon Tools installations and abnormal network connections, verify the integrity of Daemon Tools software before installation, implement application allowlisting to prevent execution of unauthorized software, and monitor for suspicious use of code-signing certificates in software deployment processes. These steps help mitigate risk until further vendor guidance or fixes are available.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- []
- Adversary
- null
- Pulse Id
- 6a01b0270e641c93bef3a586
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c | — | |
hasha916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df | — | |
hashda1a51b7022d8e726de981fcdb364096e90a8134dd380f9d76c4c20fea701836 | — | |
hash12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8 | — | |
hash8c67ae3b4b8d30d13a8118701134d94e | — | |
hasha7f6308f3c7624a603e2242b19a0a8e7 | — | |
hashf2bd550773af344661689e259ffb97ed | — | |
hash0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 | — | |
hash15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 | — | |
hash28b72576d67ae21d9587d782942628ea46dcc870 | — | |
hash2d4eb55b01f59c62c6de9aacba9b47267d398fe4 | — | |
hash46b90bf370e60d61075d3472828fdc0b85ab0492 | — | |
hash50d47adb6dd45215c7cb4c68bae28b129ca09645 | — | |
hash524d2d92909eef80c406e87a0fc37d7bb4dadc14 | — | |
hash6325179f442e5b1a716580cd70dea644ac9ecd18 | — | |
hash64462f751788f529c1eb09023b26a47792ecdc54 | — | |
hash8e7eb0f5ac60dd3b4a9474d2544348c3bda48045 | — | |
hash9a09ad7b7e9ff7a465aa1150541e231189911afb | — | |
hash9ccd769624de98eeeb12714ff1707ec4f5bf196d | — | |
hash9dbfc23ebf36b3c0b56d2f93116abb32656c42e4 | — | |
hashaea55e42c4436236278e5692d3dcbcbe5fe6ce0b | — | |
hashbd8fbb5e6842df8683163adbd6a36136164eac58 | — | |
hashd2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0 | — | |
hash60e623bb18867240a7db2b292e7ec6b4c3efbd4671080b7108bdb6cb1da7843c | — | |
hashf8599bec9a6e86aab534f6282e8b812d4997ecdf2f6064a4c0326c5e7771eb42 | — | |
hash0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212 | — | |
hash3ecf78b53704422cc4c00db624b0535f36835c985d1e0b8c3d0f3d846eae1a3a | — | |
hashe22024a58de56b3655d6be7e3b21703325a57e0dd920bd9611588f5e33bb5132 | — | |
hash626ba9c1913f775f45f5be6c8bc0e579d551ded4ec97fde1ef78662f2659929e | — | |
hash427f1728682ebc7ffe3300fef67d0e3cb6b62948 | — | |
hash00e2df8f42d14072e4385e500d4669ec783aa517 | — | |
hash3a3e1af41c6706bcb5d9fbf9039cba96277286bd462641e3de262538ee4bd666 | — | |
hash70fb6c312529dcea7e7b2cd8fba198b5cae9fa8e3e4fe4da9f4d19997e24a00b | — | |
hash44a79c7f38b31cacfa6e46d2ece79245d2434d00f2f33eb7de161c899342d9f5 | — | |
hash3212ea730397c6f5b11faffc1d05c243cb962ca487de17179ad4aedc4a10ae92 | — | |
hash9afc75e8477dbef6a38d81b0854e0789a4e5cd4439587d062250fc5aef69ca15 | — | |
hash295ce86226b933e7262c2ce4b36bdd6c389aaaef | — | |
hash8d435918d304fc38d54b104a13f2e33e8e598c82 | — | |
hash3a1553153b4d192dd935c571457f44dd | — | |
hash589f0705c7ed10716d5d4c6a881740cc | — | |
hash647e91eb563af6e5962d50395e4e2b3c | — | |
hash788cefa34466afd1470573ebbac50d98 | — | |
hash7a9335ed73fab541f5a414ec15e334d5 | — | |
hash9cbb03932dc71ca41c418d020b10b5ff | — | |
hasha920a32eff288e5b48c62d273defeada | — | |
hashd2c4c61684c26bee09782227f81b1c16 | — | |
hashf209fbca69e9a25c2cdbfbd9c973ba9f | — | |
hashfd3602ef891dc6d53e42c310fa268826 | — | |
hash97dd013d448631be7e8059c3367a30bbc0d4712907e684bb2e2c0ab2de84cb0c | — | |
hash13dd6de4a0b298b44637da2f948bd229 | — | |
hash36c697881561026c941ff7594077f564 | — | |
hash9635b50b5a3325ec0ef5f23f0e9cea7c | — | |
hash9bb1cc315675e1a41492ef2d52ac160d | — | |
hash0456e2f5f56ec8ed16078941248e7cbba9f1c8eb | — | |
hash5a18c1bcf88bf495c4eaa72aa3f10c4a | — | |
hash6167e8d07c72ded360cb644d803e6c94 | — | |
hash11d4e581521d81ab7daa1a490edf34d36cd92c4e44c427272af3122529e2a40c | — | |
hash756d1dd5c2afb86906ed09ed8b883278f73b37538995ceb6987c65097042e6b4 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip38.180.107.76 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://38.180.107.76/09505aca4f538bd | — |
Threat ID: 6a01b127cbff5d8610f76ef0
Added to database: 5/11/2026, 10:36:23 AM
Last enriched: 5/11/2026, 10:51:20 AM
Last updated: 5/11/2026, 7:07:15 PM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.