Supply Chain Compromise of Daemon Tools Delivers Backdoors to Global Users
What Happened — Attackers hijacked the official Daemon Tools download site and distributed signed, trojanized Windows installers. The malicious binaries installed a .NET information collector that profiled the host and, in targeted cases, delivered a minimalistic backdoor or the QUIC RAT remote‑access tool.
Why It Matters for TPRM —
- Third‑party software used across many sectors can become a covert entry point for nation‑state or criminal actors.
- Signed binaries bypass typical trust checks, increasing the risk of undetected compromise in client environments.
- The attack demonstrates how supply‑chain tampering can lead to both data profiling and active payload deployment.
Who Is Affected — Gaming, development, and IT professionals; enterprises in government, scientific research, manufacturing, retail, and education sectors across Russia, Brazil, Turkey, Spain, Germany, France, Italy, China, and others.
Recommended Actions —
- Verify all endpoints for the compromised Daemon Tools versions (12.5.0.2421‑12.5.0.2434).
- Immediately upgrade to the clean release (v12.6.0.2445) or remove the software where not required.
- Deploy application allow‑listing or hash‑based whitelisting to block unsigned or tampered binaries.
- Monitor network traffic for connections to the malicious C2 domain (env‑check.daemontools.cc).
Technical Notes — The compromise leveraged a typosquatted domain (env‑check.daemontools.cc) registered on 27 Mar 2026. Signed executables (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) were altered to appear legitimate. The information collector harvested OS language, running processes, and installed software, then used profiling results to push backdoors, including QUIC RAT, which injects payloads into legitimate processes. Source: Help Net Security