Chinese-Speaking Hackers Compromise DAEMON Tools in Large-Scale Supply Chain Attack

Executive Summary

Security researchers have uncovered a sophisticated, ongoing supply chain attack targeting users of DAEMON Tools, a popular disk emulation software. Since at least April 8, 2026, threat actors have compromised the official distribution channel, embedding malware into legitimate software installers downloaded from the DAEMON Tools website. The attack, attributed to a Chinese-speaking threat actor, uses a multi-stage approach. An initial backdoor infects a wide range of users, gathering system information. The attackers then selectively deploy a more advanced backdoor and a sophisticated implant known as QUIC RAT to a small number of high-value targets, including government, scientific, and manufacturing organizations in Belarus, Russia, and Thailand. The use of valid digital signatures on the malicious components has allowed the attack to remain stealthy and bypass many security measures.

Threat Overview

The attack originates from trojanized installers for DAEMON Tools for Windows, specifically versions 12.5.0.2421 to 12.5.0.2434. These installers were available for download directly from the official daemon-tools.cc website. The compromise was orchestrated by a currently unidentified but suspected Chinese-speaking threat group.

The infection chain is as follows:

1. Initial Compromise: A user downloads and installs a trojanized version of DAEMON Tools.
2. Backdoor Activation: Compromised binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe), which are signed with a valid digital certificate from the developer AVB Disc Soft, execute at system startup. These files contain a backdoor.
3. C2 Communication: The backdoor contacts a typosquatted command-and-control (C2) domain (env-check.daemontools[.]cc) to receive further instructions.
4. Stage 1 Payload (Reconnaissance): The C2 server instructs the backdoor to download and execute an information-stealing tool, envchk.exe. This tool profiles the infected system, collecting hostname, MAC address, running processes, and installed software, and sends the data back to the C2.
5. Stage 2 Payload (Targeted Backdoor): Based on the reconnaissance data, the attackers select high-value targets. These targets receive a second, more minimalistic backdoor (cdg.exe and cdg.tmp).
6. Stage 3 Payload (Advanced RAT): In at least one highly targeted case, the attackers used the second backdoor to deploy QUIC RAT, an advanced remote access trojan, against an educational institution in Russia.

Technical Analysis

The threat actor demonstrated a high level of sophistication by compromising legitimate, signed binaries. This technique, known as T1553.002 - Code Signing, significantly increases the malware's ability to evade detection by security software that trusts signed code.

The QUIC RAT implant is particularly advanced. It employs multiple communication protocols, including QUIC, DNS, and HTTP/3, for C2 communication, making its traffic difficult to block or analyze. It also uses control flow flattening obfuscation and injects itself into legitimate processes like notepad.exe (T1055 - Process Injection) to hide its presence on the infected system.

The initial reconnaissance phase allowed the attackers to filter through thousands of infections across over 100 countries to identify and focus on a dozen specific targets of interest. This demonstrates a clear espionage motive rather than a financially motivated one.

MITRE ATT&CK Techniques Observed:

• T1195.002 - Compromise Software Supply Chain: Compromising legitimate software installers on the vendor's website.
• T1553.002 - Code Signing: Using valid digital certificates to sign malicious binaries.
• T1071.004 - Application Layer Protocol: DNS: Using DNS for C2 communications.
• T1573.002 - Encrypted Channel: Asymmetric Cryptography: QUIC RAT uses encrypted protocols for C2.
• T1055 - Process Injection: QUIC RAT injects into notepad.exe.
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell: The initial backdoor receives shell commands from the C2.
• T1082 - System Information Discovery: The envchk.exe payload gathers extensive system information.

Impact Assessment

The impact of this attack is twofold:

1. Widespread Initial Infection: Thousands of users across more than 100 countries were infected with the initial information-gathering malware. While not the primary goal, this data could be used for other malicious purposes or sold.
2. Targeted Espionage: The primary impact is on the dozen highly targeted organizations in the government, scientific, manufacturing, and retail sectors. For these victims, the deployment of QUIC RAT represents a severe breach, enabling long-term persistence, data exfiltration, and complete remote control of their systems.

The compromise of a trusted software vendor like DAEMON Tools erodes user trust and highlights the systemic risk posed by supply chain attacks. Even security-conscious users who download software from official sources can become victims.

IOCs — Directly from Articles

Detection & Response

Security teams should hunt for signs of this activity within their networks.

• File Analysis (D3-FA): Scan systems for the presence of the IOC file names listed above. Use file hashing to compare DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe against known good versions. Check the digital signature details; while valid, the signing date or certificate hash may be anomalous.
• DNS Analysis: Monitor DNS logs for any requests to the malicious domain env-check.daemontools[.]cc or other domains using daemontools as a substring but not matching the official daemon-tools.cc.
• Process Analysis (D3-PA): On systems with DAEMON Tools installed, monitor for suspicious child processes spawned by DTHelper.exe or DiscSoftBusServiceLite.exe. Look for notepad.exe exhibiting network activity, which could be a sign of QUIC RAT injection.
• Software Inventory: Identify all systems with DAEMON Tools installed, particularly versions 12.5.0.2421 through 12.5.0.2434. These systems should be considered potentially compromised and prioritized for investigation.

Mitigation

• Software Removal: If DAEMON Tools is not a business-critical application, the safest course of action is to uninstall it from all corporate systems.
• Update Software: If the software is required, ensure it is updated to a version released after the incident, once the vendor has confirmed it is clean. Monitor communications from AVB Disc Soft for official guidance.
• Executable Allowlisting (D3-EAL): Implement application control policies to prevent the execution of unauthorized executables like envchk.exe and cdg.exe.
• Outbound Traffic Filtering (D3-OTF): Block outbound connections to the known C2 domain env-check.daemontools[.]cc at the firewall or web proxy. Implement policies to inspect and potentially block traffic using non-standard protocols like QUIC to untrusted destinations.