Kaspersky disclosed on May 5 that official DAEMON Tools Lite installers, served from the vendor’s own download infrastructure and signed with the developer’s valid Authenticode certificate, had been carrying a backdoor since April 8, 2026. The compromised builds span versions 12.5.0.2421 through 12.5.0.2434. Version 12.6, released May 5, ships clean. If you installed or updated DAEMON Tools on Windows in the last month, treat the host as suspect.

What was tampered with

Three binaries inside the main install directory were modified:

  • DTHelper.exe
  • DiscSoftBusServiceLite.exe
  • DTShellHlp.exe

The implant lives in the C runtime initialization path — the code that runs before main() — so the backdoor fires on every process start before any application logic, and before most behavioral telemetry has a chance to attach. Because the binaries are signed with the legitimate Disc Soft / DAEMON Tools certificate, EDR file-reputation checks and certificate-pinning antivirus passes glide right over them.

This is the same primitive that made the 3CX, X_Trader, and Comm100 compromises so effective: the user downloads from the right URL, the certificate validates, the SmartScreen prompt is cooperative, and the malicious payload rides in on the trust the vendor has already earned.

C2 and capability

First-stage activity is straightforward: an HTTP GET to env-check.daemontools[.]cc, a domain registered March 27 — twelve days before the first poisoned build shipped. The response is a shell command piped to cmd.exe, which fetches the next stage.

Kaspersky says the second-stage implant supports HTTP, HTTP/3, UDP, TCP, WSS, QUIC, and DNS as C2 transports, and injects payloads into notepad.exe and conhost.exe to persist under common, lightly-instrumented processes. That protocol breadth is unusual — most commodity loaders pick one or two channels — and makes signature-based egress filtering much harder than it would be against a single-protocol implant.

Two-tier targeting

The attack splits cleanly into two populations:

  1. Mass infection — thousands of attempted installs across more than 100 countries, with the bulk of activity in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. About 10% of affected systems belonged to organizations rather than individuals. On most of these hosts, the implant was content with a stock information collector.
  2. Targeted exploitation — only about a dozen machines received the full backdoor, all of them in government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. The two-stage hand-off is what turns this from “another stealer” into a deliberately operated intrusion set.

Kaspersky attributes the campaign to a Chinese-speaking actor based on artifacts in the implants — language strings, build metadata, and code reuse patterns — but stops short of naming a specific group.

Mitigation

If DAEMON Tools is on a Windows host in your estate:

  1. Identify exposed endpoints. Any install or upgrade between April 8 and May 5, 2026 is presumed compromised. Hash-check the three modified binaries against Kaspersky’s IOCs.
  2. Update to 12.6 before doing anything else, then plan the host work that follows.
  3. Hunt the C2 indicator. Block and historically search DNS, proxy, and firewall logs for env-check.daemontools[.]cc. Any resolution from a corporate range is a strong signal.
  4. Inspect for second-stage hand-off. Look for unexpected child processes spawned from notepad.exe or conhost.exe, and outbound traffic over QUIC/HTTP/3/DoH from those processes — the long-tail C2 channels are the easier ones to spot once you know to look.
  5. Treat compromised hosts as full reimage candidates if any second-stage activity is observed. The implant has had nearly a month to plant secondary persistence; cleaning the three known binaries is not enough.
  6. Remove DAEMON Tools entirely on managed fleets where it isn’t business-critical. The utility’s primary modern use case — mounting ISO files — is covered natively by Windows since 8.1.

Why this one matters

The infrastructure-security read here is less about DAEMON Tools specifically and more about a category of vendor that keeps getting punched through: small-team Windows utilities with valid code-signing certificates, modest CI/CD maturity, and a long tail of enterprise installations that nobody catalogs. The combination of legitimate signing, vendor-controlled distribution, and tier-two-and-below software supply chain hygiene is exactly the soft target that 3CX-style operators reach for. The DAEMON Tools incident is unlikely to be the last of its kind this quarter.

Sources: