A supply chain attack has trojanized DAEMON Tools installers (versions 12.5.0.2421–12.5.0.2434) distributed from the official site and signed with legitimate developer certificates, activating an implant when DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe run. The implant contacts env-check.daemontools[.]cc to fetch commands that download and execute payloads including envchk.exe, a shellcode loader (cdg.exe/cdg.tmp), and a targeted backdoor that has delivered QUIC RAT to selected victims. #DAEMONTools #QUICRAT
Keypoints
- DAEMON Tools installers were trojanized and digitally signed, with tampering active since April 8, 2026.
- The compromised binaries are DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
- The implant performs an HTTP GET to env-check.daemontools[.]cc to receive shell commands executed via cmd.exe.
- Payloads include envchk.exe for system reconnaissance and cdg.exe/cdg.tmp, a loader that launches a backdoor and additional stages.
- A selective follow-on delivery deployed QUIC RAT to a small number of targets across retail, scientific, government, and manufacturing sectors, with C2 supporting multiple protocols and process injection.
Read More: https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html