In a major cybersecurity incident identified in early May 2026, DAEMON Tools, a widely-used disk image mounting software, was compromised to disseminate malware globally. This sophisticated supply chain attack was detected by Kaspersky researchers when installers on the official DAEMON Tools site were found to be altered with malicious code beginning April 8, 2026.
Compromised Installers and Digital Certificates
The attack affected DAEMON Tools versions 12.5.0.2421 to 12.5.0.2434, with installers signed using legitimate digital certificates from the software’s developer, AVB Disc Soft. Despite thousands of attempts to infect systems in over 100 countries, attackers employed targeted methods post-compromise. Artifacts suggest a Chinese-speaking group may be involved, though this has not been definitively confirmed.
Upon discovery, AVB Disc Soft was promptly informed, enabling immediate efforts to mitigate the attack’s impact. The compromised executables, such as DTHelper.exe and DTShellHlp.exe, facilitated a backdoor activation when executed, leading to unauthorized communications with a malicious server.
Backdoor Mechanism and Payload Deployment
The malicious backdoor, embedded within the installation files, initiates communication with a server imitating the legitimate domain. This server, registered shortly before the attack commenced, executes shell commands using PowerShell to download an initial payload. This payload collects extensive system data, including MAC addresses, hostnames, and installed software details.
Notably, the payload’s .NET executable contains Chinese script, hinting at the origins of the perpetrators. The attackers selectively targeted valuable systems for further exploitation, with the second-stage payload impacting a limited number of machines in government and commercial sectors.
Advanced Threats and Recommendations
The second-stage payload involved a minimalist backdoor that uses RC4 encryption for payload execution, demonstrating manual intervention by attackers. For high-value targets, a sophisticated implant known as QUIC RAT was deployed, capable of evading detection through complex obfuscation and using advanced communication protocols.
This incident underlines the growing threat of software supply chain attacks in 2026. Similar breaches have occurred earlier this year, highlighting the need for robust security measures. Organizations are advised to monitor DAEMON Tools installations for unusual activities and enforce Zero Trust security models to safeguard against such threats.
Security teams should actively search for the information collector payload using the SHA1 hash 2d4eb55b01f59c62c6de9aacba9b47267d398fe4, and block all outgoing connections to the malicious domain and IP address specified in the attack indicators. Proactive threat hunting and incident response are crucial to mitigate the effects of these sophisticated cyber threats.
