NEWS
DAEMON Tools Installer Hack Plants Hidden Backdoor on PCs in 100+ Countries
Official DAEMON Tools installers pulled directly from the company’s own website carried a hidden backdoor for nearly a month before anyone caught it. Kaspersky’s Global Research and Analysis Team disclosed on May 5, 2026 that trojanized versions 12.5.0.2421 through 12.5.0.2434 reached users in more than 100 countries, and the supply chain attack was still live at the time of disclosure.
The infected files were signed with a valid certificate belonging to AVB Disc Soft, the developer of the disc-imaging utility. That signature let the malware sail past Windows SmartScreen, antivirus reputation checks, and the basic trust assumption every user makes when they download software from a product page they’ve used for years.
Most of the thousands of compromised machines belonged to home users. About a dozen received a second-stage payload built for espionage, including a previously undocumented remote access tool the researchers call QUIC RAT.
Inside The Tampered Installer
The compromise sits inside three executables that ship with every standard install of the Windows tool. Securelist’s technical breakdown of the trojanized binaries identifies them as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All three run automatically at startup, which is what gives the implant persistence without user interaction.
Kaspersky logged eight infected installer SHA-1 hashes, one per published patch in the affected band. Each carried AVB Disc Soft’s real digital signature, which is the detail that makes this campaign different from the cracked-installer junk circulating on torrent sites.
Malicious payload activity only kicks in after the legitimate setup completes. Users see the familiar progress bar, the licence prompt, the desktop shortcut. Behind that, three system processes start phoning out to a server that does not belong to AVB Disc Soft.
Three trojanized binaries have been publicly confirmed:
- DTHelper.exe: helper service that loads on user logon.
- DiscSoftBusServiceLite.exe: background service tied to the virtual disc bus driver.
- DTShellHlp.exe: shell extension that hooks Windows Explorer right-click menus.

How The Hidden Backdoor Phones Home
Once the trojanized service starts, it reaches out to env-check.daemontools[.]cc, a typosquat of the real daemon-tools[.]cc domain. The lookalike was registered on March 27, 2026, twelve days before the malicious installers went live. That gap is the clearest planning signal in the whole campaign.
The first stage delivers a .NET tool called envchk.exe that profiles the machine. It hands back the MAC address, hostname, DNS suffix, list of running processes, installed software, and system locale to a hardcoded server at 38.180.107[.]76. From there a small backdoor loader, cdg.exe, decrypts an RC4-encrypted payload (cdg.tmp) and runs it directly in memory.
Mapped end to end, the chain looks like this:
- Initial beacon: GET request to env-check.daemontools[.]cc with hostname appended.
- Profiling: envchk.exe collects system data through a .NET assembly carrying Chinese-language strings.
- Loader stage: cdg.exe maps cdg.tmp into memory using shellcode injection.
- Command execution: PowerShell pulled through cmd.exe, often hiding inside legitimate processes like notepad.exe and conhost.exe.
Surgical Targeting Hidden Inside A Mass Campaign
The numbers tell the real story of this attack. Kaspersky’s telemetry counted thousands of installation attempts across more than 100 territories. Roughly 10 percent landed inside organizations. Around 90 percent hit home machines.
Then the funnel narrows hard. Only about a dozen of those compromised systems received any second-stage payload at all. The rest sat profiled and untouched. That selection ratio is what separates this from a smash-and-grab cybercrime operation. The crew was fishing for specific victims and ignoring the catch they didn’t want.
The follow-on victims clustered tightly:
- Russia, Belarus, and Thailand: hosted the dozen machines that received advanced payloads.
- Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China: dominated the bulk infection wave.
- Retail, government, scientific, and manufacturing sectors: made up the targeted second-stage hits.
Look past the geographic spread and the picture turns colder. Thousands of innocent home installs served as cover noise for a campaign whose real target list could fit on a Post-it note.
The QUIC RAT That Only Hit One Russian School
Every other payload in the chain looks like a recon kit. The most sophisticated tool reached a single victim: an educational institution in Russia. Kaspersky tracks it as QUIC RAT.
It’s a C++ implant, statically linked against the WolfSSL library, with control flow flattening obfuscation that makes static analysis painful. The interesting part is its transport layer. QUIC RAT can talk to its operators over HTTP, TCP, UDP, WSS, DNS, QUIC, or HTTP/3. That kind of protocol versatility is unusual in a tool researchers had not catalogued before this campaign.
Process injection targets are notepad.exe and conhost.exe, two of the quietest binaries on a typical Windows desktop. A user who notices a Notepad window flicker open and shut would not assume the operating system’s text editor is running an espionage payload.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT.
Why The Chinese-Speaking Attribution Stays Soft
Researchers flagged Chinese-language strings inside the implants and consistent hardcoded paths that read more naturally in Mandarin than in English. That is the basis for the attribution in every public writeup of the campaign.
It’s not a confident attribution. Language artifacts inside malware are easy to plant deliberately, and Kaspersky has not tied the operation to any tracked Chinese-speaking group such as APT41 or Mustang Panda. GReAT frames the link as suggestive, not concluded. That distinction matters, because Western coverage often collapses “Chinese-speaking artifacts” into “China did it,” and the gap between those two claims is exactly the space where false flag operations live.
Disc Soft’s Reply And What Users Should Do Right Now
AVB Disc Soft acknowledged the report on May 5, 2026 but stopped short of confirming any of the technical findings. “Our team is treating this matter with the highest priority and is actively working to assess and address the issue,” the company said in a statement. “At this stage, we are not in a position to confirm specific details referenced in the report.”
As of publication, the developer has not announced a clean replacement build, has not published a list of confirmed safe hashes, and has not disclosed whether its signing certificate has been revoked. The DAEMON Tools downloads portal at daemon-tools.cc still serves the same product line, which puts the burden of verification on the user.
Independent verification has come from researchers, not the vendor. Kaspersky’s user-facing advisory recommends a manual sweep of any system that installed DAEMON Tools after April 8, 2026.
The recommended actions, in order:
- Audit the install date: anything installed or updated on or after April 8, 2026 is suspect.
- Isolate the host: pull it off corporate networks before further analysis.
- Hunt for indicators: look for outbound traffic to env-check.daemontools[.]cc and 38.180.107[.]76.
- Uninstall: remove the application and the three named binaries; assume residual implants until forensics says otherwise.
- Rotate credentials: anything entered or cached on the affected host should be considered exposed.
Home users with no specific indication of compromise should still uninstall and wait for the developer to publish a known-clean build. There is currently no way to confirm a downloaded installer is unaffected without manually checking its hash against Kaspersky’s published indicator list.
A Pattern Building Through 2026
DAEMON Tools is the fourth confirmed software supply chain compromise of the year, after eScan in January, Notepad++ in February, and CPU-Z in April. All four cases share the same playbook: trojanize a trusted desktop utility at the source, ride the developer’s own distribution channel, sit on the access for weeks.
Detection delay on this one ran about 30 days. Kaspersky’s analysts compared that gap to the 3CX attack of 2023, which also stayed hidden for roughly a month. Both fit the threat pattern documented in the CISA guide on defending against software supply chain attacks, classified by MITRE ATT&CK technique T1195.002 for compromised software supply chains.
Frequently Asked Questions
Should I Uninstall DAEMON Tools Right Now?
Yes, if you installed or updated it on or after April 8, 2026. Open Settings, then Apps, find DAEMON Tools or DAEMON Tools Lite, and remove it. After removal, restart and run a full scan with current antivirus definitions. The Kaspersky cleanup advisory for affected DAEMON Tools users walks through what to look for. Wait for AVB Disc Soft to publish a verified clean build with a fresh signing certificate before reinstalling.
Will My Antivirus Catch The Backdoor On Its Own?
Probably not without an updated signature pull. The malicious binaries carried valid AVB Disc Soft signatures, which trips most reputation-based defenses into trusting them. Make sure your security tool ran a definition update after May 5, 2026, the day Kaspersky published the indicators of compromise. Kaspersky, Microsoft Defender, ESET, and Bitdefender have rolled detection for the eight known infected installer hashes since then.
How Can I Tell If The Installer I Downloaded Is Clean?
Check the SHA-1 hash of your installer file against the eight known-bad hashes published in Kaspersky’s writeup. In Windows, run “certutil -hashfile [filename] SHA1” in Command Prompt. If your hash matches any in the published list, you have a confirmed-bad copy and should isolate the machine. If it does not match, that is reassuring but not definitive while the campaign remains active.
Were Mac Or Linux Users Affected?
No, based on currently disclosed indicators. The malicious binaries are Windows-only PE executables, and Kaspersky’s telemetry only flagged Windows installations. AVB Disc Soft has not yet stated whether its macOS product line shares any code or signing infrastructure with the compromised Windows builds. Users on other platforms should still treat any post-April 8 download with caution until the vendor publishes a complete scope statement.
Does Removing DAEMON Tools Clean The Malware?
Not always. The implant can drop additional payloads outside the application folder, including in-memory code injected into notepad.exe and conhost.exe. After uninstalling, run a boot-time antivirus scan and check scheduled tasks, run-on-startup registry keys, and outbound connections to 38.180.107[.]76. Targeted victims, particularly inside organizations, may need a full forensic image rather than a standard cleanup pass.
The DAEMON Tools breach is small in raw victim count and large in implication. A widely trusted utility, downloaded from a brand-name domain, with an authentic developer signature, was a malware delivery channel for almost a month. The next time a similar headline lands, the right reaction is not surprise.
Anyone who hit the download button between April 8 and May 5 should treat that machine as suspect until AVB Disc Soft publishes a known-clean replacement with a fresh certificate. The dozen targeted victims will be doing exactly that, and probably more.
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI3 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
CRYPTO2 months agoOCC Issues AML Consent Order Against Wise and Crypto.com Sponsor Bank
-
APPS1 month agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI3 weeks agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
