Threats Tagged 'daemon tools'

A supply chain compromise involving Daemon Tools installers distributed via the official vendor website has been identified. The attackers used valid code-signing certificates to make the trojanized installers appear legitimate and bypass security controls. These malicious packages deploy a backdoor that performs system reconnaissance, environment verification, and communicates with attacker-controlled command-and-control infrastructure. The compromise leverages trusted software delivery mechanisms to evade detection, establish persistent access, and enable remote command execution. Organizations should block related malicious infrastructure, hunt for suspicious Daemon Tools installations and network activity, verify software integrity, and implement application allowlisting. Monitoring for unusual certificate usage in software deployment is also advised. No patch or official fix information is available, and no known exploits in the wild have been reported.

Since April 8, 2026, installers of DAEMON Tools software have been compromised with malicious payloads distributed through the legitimate website. Versions 12.5.0.2421 to 12.5.0.2434 contain trojaned binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) signed with legitimate developer certificates. The attack has affected thousands of systems across over 100 countries, though advanced payloads were selectively deployed to approximately a dozen machines in government, scientific, manufacturing, and retail organizations. Initial infection establishes backdoor communications to typosquatted domains, followed by deployment of an information collector for system profiling. Targeted systems receive additional implants including a minimalistic backdoor and QUIC RAT. Chinese-language strings found in malicious components suggest a Chinese-speaking threat actor. The attack remains active at time of publication, demonstrating sophisticated supply chain compromise techniques comparable to the 2023 3CX ...