DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

SOC Prime Team

DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A supply chain compromise affected DAEMON Tools Lite installers from versions 12.5.0.2421 through 12.5.0.2434. The tampered installers executed a malicious loader that reached out to remote infrastructure, fetched additional payloads, and ultimately deployed both a backdoor and a QUIC-based RAT. The campaign triggered thousands of infection attempts in more than 100 countries, while a narrower second-stage operation was directed at a smaller group of selected victims.

Investigation

Kaspersky researchers identified three modified binaries — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — that contacted a malicious domain and ran commands through cmd.exe. The follow-on payloads included envchk.exe, cdg.exe, and cdg.tmp, which were used to load a lightweight backdoor and the QUIC RAT. Telemetry linked the activity to organizations in retail, scientific research, government, and manufacturing sectors.

Mitigation

AVB Disc Soft released a clean build, version 12.6.0.2445, and advised affected users to remove the compromised Lite versions, perform full system scans, and upgrade immediately. Organizations should isolate endpoints with DAEMON Tools installed, verify the integrity of signed installers, and monitor for the known malicious binaries and related network traffic.

Response

Defenders should search for the three compromised executables, watch for outbound HTTP requests to env-check.daemontools.cc, and block execution of unexpected payloads such as envchk.exe and cdg.exe. Endpoint detection rules should also be updated to identify the backdoor’s behavior, and any infected systems should be quarantined without delay.

"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ffccff classDef tool fill:#cccccc %% Node definitions initial_access_supply_chain["Initial Access – T1553.002 Subvert Trust Controls: Code Signing Adversary compromised DAEMON Tools Lite installer and signed with legitimate certificate."] class initial_access_supply_chain action technique_compromise_binary["Technique – T1554 Compromise Host Software Binary Trojanized binaries DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe distributed."] class technique_compromise_binary technique persistence_autostart["Persistence – T1547 Boot or Logon Autostart Execution Malicious binaries set to run at system startup via autostart mechanisms."] class persistence_autostart action persistence_startup_items["Technique – T1037.005 Boot or Logon Initialization Scripts: Startup Items Installed as startup items."] class persistence_startup_items technique persistence_software_ext["Technique – T1176 Software Extensions Used software extensions for persistence."] class persistence_software_ext technique execution_c2_resolution["Execution – T1568 Dynamic Resolution Implant contacts envu2011check.daemontools.cc via HTTP GET to obtain commands."] class execution_c2_resolution action execution_cmd["Technique – T1059.003 Command and Scripting Interpreter: Windows Command Shell Commands executed using cmd.exe."] class execution_cmd technique execution_indirect["Technique – T1202 Indirect Command Execution Commands executed indirectly via other processes."] class execution_indirect technique execution_payload_download["Technique – T1204.003 User Execution: Malicious Image Additional payloads envchk.exe, cdg.exe, cdg.tmp downloaded."] class execution_payload_download technique defense_process_hollowing["Defense Evasion – T1055.012 Process Injection: Process Hollowing Backdoor injects code into notepad.exe, conhost.exe."] class defense_process_hollowing technique defense_reflective_loading["Technique – T1620 Reflective Code Loading Uses reflective loading to execute code in memory."] class defense_reflective_loading technique defense_junk_code["Technique – T1027.016 Obfuscated Files or Information: Junk Code Insertion Employs junk code to evade analysis."] class defense_junk_code technique c2_multi_stage["Command and Control – T1104 Multiu2011Stage Channels Uses multiu2011stage channels to retrieve further payloads."] class c2_multi_stage action c2_quic_rat["Malware – T1219 Remote Access Tools Drops QUIC RAT providing interactive remote access."] class c2_quic_rat malware lateral_taint_shared["Lateral Movement – T1080 Taint Shared Content Backdoor taints shared content to spread laterally."] class lateral_taint_shared action %% Connections initial_access_supply_chain –>|uses| technique_compromise_binary technique_compromise_binary –>|enables| persistence_autostart persistence_autostart –>|includes| persistence_startup_items persistence_autostart –>|includes| persistence_software_ext persistence_startup_items –>|leads to| execution_c2_resolution persistence_software_ext –>|leads to| execution_c2_resolution execution_c2_resolution –>|triggers| execution_cmd execution_cmd –>|uses| execution_indirect execution_cmd –>|downloads| execution_payload_download execution_payload_download –>|provides| defense_process_hollowing defense_process_hollowing –>|utilizes| defense_reflective_loading defense_process_hollowing –>|utilizes| defense_junk_code defense_reflective_loading –>|supports| c2_multi_stage defense_junk_code –>|supports| c2_multi_stage c2_multi_stage –>|delivers| c2_quic_rat c2_quic_rat –>|enables| lateral_taint_shared "

Attack Flow

Attack Narrative & Commands:
An attacker who has compromised the DAEMON Tools supply chain plants a malicious copy of calc.exe renamed to DTHelper.exe in a location that will be launched at system startup (e.g., the HKLMSoftwareMicrosoftWindowsCurrentVersionRun key). For the purpose of the test we simulate the immediate execution of the binary to generate the exact process‑creation event the rule watches.

Steps:
1. Copy a benign executable (calc.exe) to C:TempDTHelper.exe.
2. Register the binary in the Run registry key to emulate “startup execution”.
3. Force the system to execute the Run entry (or directly invoke the binary).

Regression Test Script:

# -------------------------------------------------------------
# Simulation script for Trojanized DAEMON Tools startup execution
# -------------------------------------------------------------
$tempPath = "C:TempDTHelper.exe"
$runKey  = "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"
$runName = "DAEMONHelper"

# 1. Deploy the malicious‑looking executable (using calc.exe as placeholder)
Copy-Item -Path "$env:SystemRootSystem32calc.exe" -Destination $tempPath -Force

# 2. Register it for automatic execution at logon (emulates persistence)
New-ItemProperty -Path $runKey -Name $runName -Value $tempPath -PropertyType String -Force

# 3. Trigger execution immediately for testing purposes
Start-Process -FilePath $tempPath

# Output a marker for test verification
Write-Host "`n[+] DTHelper.exe executed and Run entry created."

Cleanup Commands:

# -------------------------------------------------------------
# Cleanup for the DAEMON Tools simulation
# -------------------------------------------------------------
$tempPath = "C:TempDTHelper.exe"
$runKey  = "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"
$runName = "DAEMONHelper"

# Remove the Run registry entry
Remove-ItemProperty -Path $runKey -Name $runName -ErrorAction SilentlyContinue

# Stop the process if still running
Get-Process -Name "DTHelper" -ErrorAction SilentlyContinue | Stop-Process -Force

# Delete the copied executable
Remove-Item -Path $tempPath -Force -ErrorAction SilentlyContinue

Write-Host "`n[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free