A serious supply chain attack has struck the official website of Daemon Tools, the widely used disk image management software developed by AVB Disc Soft. The operation, active since April 8, 2026, has compromised thousands of systems worldwide. Among the targets are government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand.
How the Daemon Tools Supply Chain Attack Works
Trojanized Installers Signed with Valid Certificates
The attackers replaced legitimate installers with trojanized versions spanning releases 12.5.0.2421 through 12.5.0.2434. Crucially, each compromised installer was signed with a valid digital certificate, allowing it to slip past conventional security controls undetected.
The malware tampered with three key software components:
DTHelper.exeDiscSoftBusServiceLite.exeDTShellHlp.exe
The compromise went undetected for roughly a month — a timeline eerily reminiscent of the 2023 3CX incident.
The Payload: QUIC RAT and a Shellcode Injector
The mass distribution campaign was only the first stage. Kaspersky researchers identified two secondary payloads — QUIC RAT and a shellcode injector — deployed on approximately 12 high-value systems. The precision of target selection points to a sophisticated, intelligence-driven espionage operation rather than opportunistic cybercrime.
Command-and-control communications run through a typosquatting domain: env-check.daemontools[.]cc — a detail that underscores the advanced operational planning behind this campaign.
Who Is Behind the Attack? Threat Actor Profile
Chinese-Language Artifacts in the Malicious Code
Kaspersky has stopped short of formally attributing the attack to any known threat group. However, researchers identified Chinese-language artifacts embedded within the QUIC RAT and shellcode injector code, suggesting a Chinese-speaking threat actor.
The overall operational profile is consistent with state-sponsored espionage campaigns. The surgical selection of just 12 final targets confirms that attackers conducted thorough reconnaissance before deploying second-stage payloads. This tactic — compromising thousands of systems to ultimately hit a select few — is a hallmark of the most sophisticated APT operations.
Context: 2026, a Record Year for Supply Chain Attacks
Four Major Incidents in Five Months
The Daemon Tools case is far from an isolated incident. Kaspersky has documented four significant software compromises in the first half of 2026 alone:
- January 2026 — eScan
- February 2026 — Notepad++
- April 2026 — CPU-Z
- May 2026 — Daemon Tools
Meanwhile, malicious open-source packages surged 37% year-over-year through the end of 2025, with nearly 19,500 malicious packages detected in that period alone.
The SolarWinds Lesson Still Resonates
The industry cannot afford to ignore the historical precedents. The 2020 SolarWinds attack compromised roughly 18,000 organizations and triggered an unprecedented regulatory response — including a White House Executive Order and new CISA directives. Yet despite years of warnings, the software supply chain remains a preferred attack vector. The reason is straightforward: it bypasses perimeter defenses and exploits the implicit trust placed in digitally signed software.
How to Defend Your Organization: Recommendations for CISOs and Security Managers
Immediate Actions for Daemon Tools Users
Organizations should immediately verify whether they installed any version between 12.5.0.2421 and 12.5.0.2434 after April 8, 2026. If so, the following steps are essential:
- Isolate potentially compromised systems immediately
- Review DNS logs for queries to
*.daemontools[.]cc - Investigate anomalous processes spawned by
DTHelper.exe
Structural Security Measures
More broadly, organizations should adopt a zero-trust approach to software supply chain management. Key measures include:
- Software Bill of Materials (SBOM) to track third-party dependencies
- EDR with behavioral analysis to detect suspicious post-installation communications
- Application whitelisting and certificate pinning for critical vendors
- Network monitoring for outbound connections to typosquatting domains
- Staged software rollouts to avoid immediate deployment of new versions
It bears emphasizing that system-level software like Daemon Tools operates with elevated privileges — which makes it an exceptionally high-value target for attackers seeking deep access.
Sources: Kaspersky Press Release, Risky Biz Newsletter, TechCrunch, SecurityWeek
Incidents like the Daemon Tools supply chain attack make it abundantly clear how critical timely threat intelligence sharing is among organizations operating in the same sector. Platforms like IsacChain enable the secure, verified exchange of indicators of compromise between ISAC members, while simultaneously supporting the automated NIS2 compliance requirements imposed on essential and important entities. Blockchain-based verification guarantees the integrity and traceability of every piece of shared data, eliminating the risk of information tampering. Discover how IsacChain can help your organization at www.isacchain.com