Attackers trojanized digitally signed DAEMON Tools installers (versions 12.5.0.2421–12.5.0.2434), embedding a first-stage info-stealer that establishes persistence and a backdoor on startup when executed. The supply-chain compromise infected thousands across more than 100 countries since April 8, while only about a dozen high-value targets—including organizations in Russia, Belarus, and Thailand—received second-stage payloads such as a lightweight backdoor and QUIC RAT. #DAEMONTools #QUICRAT
Keypoints
- Attackers trojanized digitally signed DAEMON Tools installers, specifically DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in versions 12.5.0.2421–12.5.0.2434.
- The first-stage payload is a basic info-stealer that collects hostname, MAC address, running processes, installed software, and system locale for victim profiling.
- Based on profiling results, some systems received a second-stage lightweight backdoor capable of executing commands, downloading files, and running code in memory.
- Only around a dozen machines received next-stage payloads—targeting retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand—despite infections in thousands across 100+ countries.
- Kaspersky reports the campaign is ongoing since April 8, evaded detection for almost a month, and in at least one case deployed the more advanced QUIC RAT; organizations that used DAEMON Tools should urgently inspect affected machines.