DAEMON Tools - isotope¹³

Incident Summary

Trojanized DAEMON Tools distributed QUIC RAT.

Attackers compromised official installers for DAEMON Tools, a popular disk imaging software, to distribute multi-stage malware. The infection chain included an information collector and a complex "QUIC RAT" backdoor, which was used for targeted espionage against government and scientific organizations globally.

Date: 2026-04-08
Category: Commercial
Target Surface: Distribution
Insertion Phase: distribution
Impact: Backdoor
Cause: Website compromise

What Was Affected

Package DAEMON Tools

LanguageC++

ComponentApplication

Artifact typebinary archive

Domain typeproject download host

Domain daemontools.cc

Compromised Versions

12.5.0.2421
12.5.0.2425
12.5.0.2429
12.5.0.2432
12.5.0.2434

Incident Context

Motive: Espionage
Attribution: Chinese-speaking actor
Transitive: No
User Impact: 50000

Evidence

Compromised Artifacts

files.disc-soft.com/inst/DTLite64.exe

Current Artifacts and Analysis

Indicators and Changes

Hashes

sha1:9ccd769624de98eeeb12714ff1707ec4f5bf196d
sha1:2d4eb55b01f59c62c6de9aacba9b47267d398fe4
sha1:396041ec1838836528d227d896683884c7188173
sha256:10d9e84307f0f62d186e24508499252327702f30691456a2976be04d603a1168
sha256:b58557997380907d7301018568c07d3967d337894a8607a016667b1654860f4e

External References

securelist.com/tr/daemon-tools-backdoor/119654

Source Data

Source record: proprietary/daemontools/meta.yaml