CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Trojanized DAEMON Tools installers deliver multi-stage backdoor via signed software supply chain compromise

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates were trojanized to deliver a multi-stage malware payload since April 8, 2026, compromising three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—to activate an implant on launch. The attack was officially confirmed by Disc Soft Limited on May 6, 2026, which acknowledged unauthorized interference within its infrastructure and released a malware-free version (DAEMON Tools Lite 12.6) on May 5, 2026. The compromised versions (12.5.0.2421 to 12.5.0.2434) contacted the C2 domain env-check.daemontools[.]cc to receive commands executed via cmd.exe, leading to the deployment of payloads including envchk.exe, cdg.exe, and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign, attributed to a Chinese-speaking adversary, showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. The implant executed shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor with capabilities such as file exfiltration, command execution, and in-memory shellcode execution. Kaspersky telemetry observed several thousand infection attempts across over 100 countries, but second-stage backdoor delivery was highly targeted, with only a dozen hosts receiving follow-on malware. Infected systems receiving the backdoor belonged to organizations in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand, with one educational institution in Russia receiving the QUIC RAT payload. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

Timeline

  1. 05.05.2026 19:07 3 articles · 2d ago

    DAEMON Tools signed installers trojanized to deliver multi-stage backdoor and QUIC RAT since April 8, 2026

    Disc Soft Limited officially confirmed the trojanized DAEMON Tools Lite supply chain attack via a published statement on May 6, 2026, acknowledging unauthorized interference within its infrastructure and the release of compromised installation packages from April 8, 2026. The compromised versions span DAEMON Tools 12.5.0.2421 to 12.5.0.2434, affecting DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Disc Soft released a malware-free version (12.6) on May 5, 2026, which no longer includes the compromised binaries. Disc Soft stated that users of other DAEMON Tools products (paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro) are not affected by the incident. Disc Soft advised users who installed DAEMON Tools Lite version 12.5.1 (free) since April 8, 2026 to uninstall the app, run a full system scan, and install the latest version (12.6) from the official website. Disc Soft removed the trojanized version from its distribution channels and now displays a warning prompting users to upgrade. Kaspersky independently confirmed that DAEMON Tools Lite version 12.6.0.2445, released on May 5, 2026, no longer exhibits malicious behavior.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain

A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and propagates via compromised repositories. Void Dokkaebi (aka Famous Chollima) abuses legitimate development workflows by luring developers with fake interviews, then delivering malware via malicious VS Code tasks or hidden payloads in fonts/images. Once committed to Git repositories, the infection spreads to downstream contributors, creating a worm-like chain reaction. Developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure are primary targets. Newly identified activity connected to the same actor’s PromptMink campaign targets cryptocurrency developers via malicious npm packages, including @validate-sdk/v2, co-authored by an AI coding assistant. The layered package strategy uses legitimate-looking tools to hide malicious payloads, with payloads evolving from credential theft to broader data exfiltration, persistence mechanisms, and cross-platform binaries. Over 60 packages and 300+ versions have been identified across seven months, with evidence of LLM integration in malware development.

Open in new tab

Compromise of CPUID distribution channels delivers trojanized system monitoring tools

A threat actor compromised CPUID’s distribution infrastructure to deliver trojanized versions of CPU-Z, HWMonitor, HWMonitor Pro, and PerfMonitor between April 9–10, 2026, deploying the STX RAT alongside a multi-stage installer using DLL side-loading. The compromise lasted approximately 19 hours, affecting at least 150 victims across multiple sectors and geographies, with the attackers reusing infrastructure and tactics from a prior FileZilla campaign. CPUID confirmed the breach was limited to distribution links and has since restored clean versions, though the developer’s unavailability during the incident may have contributed to the prolonged exposure.

Open in new tab

Targeted social engineering of Axios maintainer enables UNC1069 npm supply chain compromise via WAVESHAPER.V2 implant

A maintainer of the widely used Axios npm package was targeted in a highly tailored social engineering campaign attributed to North Korean threat actor UNC1069, resulting in the compromise of npm account credentials and the publication of two trojanized versions of Axios (1.14.1 and 0.30.4). Google Threat Intelligence Group (GTIG) attributed the attack to UNC1069 based on the use of WAVESHAPER.V2 and infrastructure overlaps with past activities. The malicious packages were available for roughly three hours and injected a plain-crypto-js dependency that installed a cross-platform RAT, enabling credential theft and downstream compromise. The campaign also targeted additional maintainers, including Pelle Wessman (Mocha framework) and Node.js core contributors, revealing a coordinated effort against high-impact maintainers. The intrusion began with reconnaissance-driven impersonation of a legitimate company founder, engagement via a cloned Slack workspace and Microsoft Teams call, and execution of a fake system update that deployed the RAT. Post-incident, the maintainer reset devices, rotated all credentials, adopted immutable releases, introduced OIDC-based publishing flows, and updated GitHub Actions workflows to mitigate future risks.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

Tag poisoning in Trivy GitHub Actions repositories delivers cloud-native infostealer payload

Attackers compromised two official Trivy-related GitHub Actions repositories—aquasecurity/trivy-action and aquasecurity/setup-trivy—and backdoored Trivy v0.69.4 releases, distributing a Python-based infostealer that harvests wide-ranging CI/CD and developer secrets. The payload executes in GitHub Actions runners and Trivy binaries, remaining active for up to 12 hours in Actions tags and three hours in the malicious release. The actors leveraged compromised credentials from a prior March incident and added persistence via systemd services, while also linking to a follow-up npm campaign using the CanisterWorm self-propagating worm. The incident traces to a credential compromise initially disclosed in early March 2026, which was not fully contained and enabled subsequent tag and release manipulations. Safe releases are now available and mitigation includes pinning Actions to full SHA hashes, blocking exfiltration endpoints, and rotating all affected secrets.

Open in new tab