HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Supply‑Chain Attack Trojans DAEMON Tools Installers, Deploying Backdoor to High‑Value Targets

Hackers inserted malicious code into official DAEMON Tools installers, compromising thousands of Windows systems worldwide. A selective second‑stage backdoor was delivered to high‑value victims in retail, government, scientific, and manufacturing sectors, highlighting the risk of third‑party software supply‑chain attacks for TPRM programs.

LiveThreat™ Intelligence · 📅 May 06, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Supply‑Chain Attack Trojans DAEMON Tools Installers, Deploying Backdoor to High‑Value Targets

What Happened — Hackers compromised the official DAEMON Tools download site, inserting malicious code into installers (versions 12.5.0.2421‑12.5.0.2434). The trojanized binaries installed a persistence‑based backdoor on thousands of Windows machines in over 100 countries. A second‑stage payload was delivered to a select dozen high‑value victims, including retail, scientific, government, and manufacturing organizations.

Why It Matters for TPRM

  • Supply‑chain compromise bypasses traditional perimeter defenses, exposing any downstream vendor that distributes the software.
  • The backdoor enables stealthy command‑and‑control, potentially leading to data exfiltration or sabotage of critical processes.
  • High‑value targets indicate attackers are profiling victims before delivering advanced payloads, raising the risk profile of any organization using the tool.

Who Is Affected — Retail, scientific research, government agencies, and manufacturing firms that have installed DAEMON Tools on Windows endpoints.

Recommended Actions

  • Inventory all endpoints for DAEMON Tools installations and verify version numbers.
  • Isolate and scan any systems with the affected binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe).
  • Apply endpoint detection and response (EDR) rules to detect the known backdoor behavior.
  • Review third‑party software procurement policies to include integrity‑verification steps (e.g., hash validation, signed‑package verification).

Technical Notes

  • Attack vector: Trojans inserted into official installers (third‑party dependency).
  • Payloads: First‑stage information stealer; second‑stage lightweight backdoor; occasional deployment of QUIC RAT (advanced remote access tool).
  • Persistence: Backdoor registers to run at system startup.
  • Data collected: Hostname, MAC address, process list, installed software, locale.
  • Scope: >1,000 infections across 100+ countries; targeted second‑stage on ~12 systems.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →