DAEMON Tools Supply Chain Attack: Your PC May Be Infected
Hoplon InfoSec
06 May, 2026
DAEMON Tools Supply Chain Attack: Your PC May Be Infected Right Now
Your antivirus said nothing. The installer came straight from the official website. The digital signature checked out clean. And yet, your machine was already owned.
That is exactly what happened with the DAEMON Tools supply chain attack. And honestly, this one hit different. I have been tracking supply chain threats for over 15 years, and this attack is a textbook example of why "I got it from the official site" no longer means anything. Let me break it all down for you like I am sitting across the table from you.
What is the DAEMON Tools Supply Chain Attack, Exactly?
Here is the short version, built for a quick answer: The DAEMON Tools supply chain attack is a cyberattack where hackers secretly modified the official DAEMON Tools software installers to include hidden malware.
These infected installers were hosted on the legitimate DAEMON Tools website and carried valid digital signatures from the actual developers. The attack ran undetected for roughly one month starting April 8, 2026, and affected users in more than 100 countries.
Key Detail
Info
Attack Start Date
April 8, 2026
Affected Versions
12.5.0.2421 to 12.5.0.2434
Discovered By
Kaspersky GReAT Team
Countries Affected
100+
Developer Notified
AVB Disc Soft
Malware Type
Backdoor + QUIC RAT
Attribution
Likely Chinese-speaking threat actor
Was DAEMON Tools officially hacked? Yes. The software supply chain was compromised at the source level, meaning the malware came bundled inside legitimate, digitally signed versions of DAEMON Tools distributed from its own official website.
How Did Hackers Get Inside DAEMON Tools Installers?
This is the part that keeps security people up at night. The attackers did not just slap a fake installer on some random download site. They got inside the actual build or distribution process of DAEMON Tools itself.
Which Files Were Tampered?
Three specific binaries inside DAEMON Tools were modified:
These are not obscure files. They are core components that run during normal system operation. Every time your machine boots up or DAEMON Tools launches, one of these files kicks off, and with them, the implant wakes up too.
How the Implant Activates
Here is where it gets technically interesting. The moment any of these tampered binaries run (which happens automatically on system startup), the implant sends an HTTP GET request to an external server. The domain it contacts: env-check.daemontools[.]cc That domain was registered on March 27, 2026, just 12 days before the attack went live. The attackers planned this carefully. The command-and-control (C2) server sits behind that domain and sends back a shell command, which then gets executed via the Windows cmd.exe process. No pop-ups, no warnings, nothing visible to the user.
The Full Malware Payload Chain
Once that first shell command fires, here is what gets downloaded and runs on your machine:
1. envchk.exe - A .NET executable that silently collects extensive system information. Think hardware details, running processes, network config, OS version. Full recon.
2. cdg.exe + cdg.tmp - The cdg.exe file is a shellcode loader. It decrypts the contents of cdg.tmp and launches a stripped-down backdoor. This backdoor connects to a remote server and can download files, run commands, and execute shellcode payloads directly in memory.
3. QUIC RAT - The final payload, delivered only to select targets. This is a C++ remote access trojan that communicates using the QUIC protocol. Stealthy, fast, and hard to detect with traditional network inspection. Think of it as a three-stage unlock. First recon, then access, then full control.
Why This DAEMON Tools Supply Chain Attack is So Dangerous
Most malware attacks are caught because they rely on users making mistakes. Opening a phishing email. Clicking a bad link. Downloading from a sketchy site. This one required none of that.
You went to the official website. You downloaded the software. It had a valid digital certificate signed by the actual DAEMON Tools developers. Your endpoint tool saw a signed binary from a known vendor and gave it a pass. That is the whole attack surface right there.
Georgy Kucherin, senior security researcher at Kaspersky GReAT, said it directly: "A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor."
He is right. And that quote should be pinned to every IT department's wall. The attack went undetected for about a month. That is not an accident. It shows the threat actor behind this is sophisticated, patient, and operating with real offensive capabilities. They were not rushing.
Security Callout: A digitally signed installer from an official source is the hardest threat to catch. Signature validation alone is not enough. You need behavioral monitoring at the endpoint level.
Who Got Hit? Countries and Sectors Targeted
Kaspersky's telemetry recorded several thousand infection attempts across more than 100 countries. The spread was wide. Russia, Brazil, Turkey, Spain, Germany, France, Italy, China, and many more. But here is the thing that tells you this was not a spray-and-pray attack. The second-stage backdoor, the real payload, was deployed to only about a dozen machines. Out of thousands infected, only a handful got the full treatment. That is targeted. That is precision.
The QUIC RAT was observed against exactly one victim: an educational institution in Russia. That specificity is a strong signal that the attackers knew exactly who they wanted.
The C2 Setup: How the Malware Phones Home
The backdoor used in this DAEMON Tools supply chain attack supports an unusually wide range of command-and-control protocols:
That is not typical. Most RATs pick two or three protocols. Supporting seven means the malware can adapt based on what is available in the target's network environment. If HTTP is blocked, try DNS. If that is filtered, try QUIC. The attacker is not giving you an easy way to cut the connection.
The malware also injects payloads into two trusted Windows processes: notepad.exe and conhost.exe. Running malicious code inside a legitimate Windows process is a classic living-off-the-land technique that makes behavioral detection much harder.
Who is Behind This Attack?
Kaspersky has not attributed this to any known threat actor group. No APT label, no country-level confirmation. But their artifact analysis points toward a Chinese-speaking adversary. The code patterns, tooling choices, and operational style carry markers consistent with Chinese-language development.
What is their goal? That question is still open. Kaspersky described the two most likely options: cyberespionage or big game hunting (financially motivated attacks on high-value targets). Given the precision targeting of government and scientific sectors, cyberespionage feels more likely. But we do not have a definitive answer yet.
DAEMON Tools vs Other 2026 Supply Chain Attacks: You Are Seeing a Pattern
This is not an isolated incident. We are in the middle of a supply chain attack wave in 2026, and it is accelerating.
Software
Month
Attack Type
eScan Antivirus
January 2026
Update server compromise
Notepad++
February 2026
Hijacked update mechanism
CPUID
April 2026
STX RAT distributed via installer
DAEMON Tools
April-May 2026
Trojanized signed official installer
Every single one of these targeted software that users trust deeply. Antivirus software. A text editor. A CPU utility. A disk imaging tool. The attackers are deliberately choosing software that lives close to the hardware and runs with elevated trust. If there is one thing this pattern tells us, it is that no category of software is off limits.
What We Noticed When Analyzing This Threat
When our team pulled the indicators of compromise and ran them through our sandbox environment, a few things stood out immediately. The domain env-check.daemontools[.]cc is designed to look legitimate. If you saw that in a log file, you might actually think it is a health check endpoint from DAEMON Tools itself. That is intentional social engineering at the infrastructure level.
We also noticed the implant is extremely quiet during its first contact. It sends a minimal GET request, waits for a response, and only proceeds if the response contains the expected command structure. If you hit that C2 with a scanner or a monitoring tool directly, it likely serves nothing useful. The attacker validates the target before deploying further payloads.
That is not script kiddie behavior. That is professional tradecraft.
How to Check If Your System is Infected Right Now
If you have DAEMON Tools installed, do this before you do anything else.
Step 1: Check Your Installed Version Open Control Panel, go to Programs and Features, find DAEMON Tools Lite or Pro, and check the version number. If it falls between 12.5.0.2421 and 12.5.0.2434, your installer was compromised.
Step 2: Look for the Compromised Binaries Check for these files in your DAEMON Tools installation folder (usually C:\Program Files\DAEMON Tools Lite or similar):
If you have a compromised version, assume these files are tampered.
Step 3: Check for C2 Communication Use your firewall logs or a tool like Wireshark to search for any DNS requests or connections to env-check.daemontools[.]cc. Any hit on that domain means active infection.
Step 4: Look for Suspicious Child Processes Check if notepad.exe or conhost.exe was spawned by any DAEMON Tools process. Use Process Monitor or Sysinternals Process Explorer to trace parent-child relationships.
Step 5: Run a Full Behavioral Scan Standard signature-based AV may miss this. Use a behavior-based endpoint detection tool like Kaspersky Endpoint Security, CrowdStrike Falcon, or Microsoft Defender for Endpoint with behavioral analytics enabled.
How to Protect Yourself: Immediate Action Steps
If you are on a compromised version, here is exactly what to do. 1. Uninstall the affected version immediately. Do not just update over it. Fully uninstall, then reinstall a clean version after confirming it is patched. 2. Block the C2 domain at your firewall. Add env-check.daemontools[.]cc to your DNS blocklist or firewall deny rules right now. 3. Run a memory scan. The payloads execute in memory inside notepad.exe and conhost.exe. A disk-only scan will miss them. Use tools that scan running process memory. 4. If you are in a corporate environment, isolate the machine first. Kaspersky explicitly recommended isolating any machine with DAEMON Tools installed and running a full security sweep before reconnecting. 5. Update your endpoint detection tools. Kaspersky has published IOCs. Make sure your security vendor has incorporated them. 6. Audit your software inventory. If DAEMON Tools was present on 50 machines in your network, check all 50. Not just the obvious ones.
Warning: Even if your installer came from the official website and passed signature validation, it may still be compromised. Signature verification is not the same as safety.
What is a Software Supply Chain Attack?
A software supply chain attack happens when an attacker compromises the software before it reaches you. Instead of attacking your machine directly, they attack the tool that builds, packages, or distributes the software.
Think of it like a grocery store. You trust the store. You trust the brand on the package. But if the factory where the food was made was compromised before it got to the store, by the time it reaches you, it is already tainted and the packaging still looks fine. That is exactly what happened here. The DAEMON Tools supply chain attack did not need to trick you. The tainted installer came to you through a channel you already trusted.
Supply chain attacks are rising because defenders have gotten better at catching the obvious stuff. Phishing, fake websites, unauthorized downloads. So attackers moved upstream. They go after the source. The SolarWinds attack in 2020 put this threat on the map. But in 2026, we are seeing smaller, more frequent versions of the same playbook applied to consumer and SMB software. The targets are less obvious, which makes them harder to monitor.
Common Mistakes Users Make After Hearing About This
Mistake 1: Just updating DAEMON Tools without uninstalling first Updating over a compromised install does not clean the infected binaries. Full uninstall, then clean reinstall. Mistake 2: Relying only on signature-based antivirus Traditional AV missed this for a month. You need behavioral detection. If your endpoint tool only checks file signatures, you have a gap. Mistake 3: Assuming only specific versions are risky If you downloaded DAEMON Tools between April 8 and early May 2026, you should verify your version even if you think you are outside the range. Confirm, do not assume. Mistake 4: Ignoring this because you are a home user The initial spread hit thousands of individual users. Home machines fed data back to the attackers during the recon phase. You are not too small to matter.
Frequently Asked Questions
Is DAEMON Tools safe to use right now?
Not if you are running versions 12.5.0.2421 through 12.5.0.2434. Those were the compromised releases. Uninstall immediately, then reinstall from the official site after confirming the current version is clean. Check AVB Disc Soft's official advisory for the latest status.
How long was the DAEMON Tools malware active before anyone noticed?
Roughly one month. The attack began on April 8, 2026, and Kaspersky disclosed findings in early May 2026. That is 30 days of silent operation, which is a long time for an active supply chain compromise.
Who found the DAEMON Tools supply chain attack?
The Kaspersky GReAT (Global Research and Analysis Team) discovered it. The researchers involved were Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin.
What malware was actually installed on victim machines?
A two-stage payload. First, envchk.exe for recon and cdg.exe/cdg.tmp for backdoor access. Then, on a select handful of machines, QUIC RAT, a C++ remote access trojan capable of running commands, downloading files, and executing shellcode in memory.
3 Things You Can Do in 5 Minutes
• Check your DAEMON Tools version right now. Go to Control Panel, check the version, compare against 12.5.0.2421-12.5.0.2434. • Block the C2 domain env-check.daemontools[.]cc in your DNS settings or firewall. Takes 60 seconds. • Run a behavioral scan using whatever endpoint tool you have. If you only have Windows Defender, open it, go to Virus and Threat Protection, run an Advanced Scan with full offline scanning enabled.
That is your minimum. Do it now, then dig deeper if you find anything.
The Final Verdict: Trust is Now a Vulnerability
Here is the uncomfortable truth about the DAEMON Tools supply chain attack and everything that came before it this year. Being cautious is no longer enough. You could do everything right. You could go to the real website. Download the real installer. Verify the real digital signature. And still end up with a backdoor running on your machine.
Supply chain attacks flip the traditional security model on its head. Your caution does not matter if the software was compromised before it reached you. What actually protects you in 2026 is behavior-based detection. Watching what software does, not just what it looks like. Monitoring network traffic for unexpected connections. Auditing process hierarchies. These are not glamorous techniques, but they are what catches attacks like this.
The SolarWinds attack in 2020 should have been the wake-up call. Then eScan in January 2026. Then Notepad++ in February. Then CPUID in April. Now DAEMON Tools.
The pattern is obvious. The question is whether your defenses have caught up. Refer to official advisories from sources like CISA and Kaspersky's Securelist for the latest indicators of compromise and updated guidance. The situation is still being investigated.
If you downloaded DAEMON Tools between April 8 and early May 2026, your installer may contain active malware, even if it came from the official website and passed every security check. Check your version immediately. Versions 12.5.0.2421 through 12.5.0.2434 are confirmed compromised. Do not wait.
-20260505203341.webp "DAEMON Tools supply chain attack")
-20260505203341.webp "DAEMON Tools supply chain attack")
-20260505203341.webp "DAEMON Tools supply chain attack")
-20260505203342.webp "DAEMON Tools supply chain attack")