Proprietary 2026-04-08 · 28 days ·Backdoor, Data Theft, Remote Access

DAEMON Tools installer delivered QUIC RAT

Official signed DAEMON Tools Lite installers were trojanized from April 2026. The backdoor profiled machines, then selectively delivered a minimal backdoor and QUIC RAT.

Story

DAEMON Tools was compromised at the point users trust most: the vendor's own signed installers. Kaspersky found that installers distributed from the legitimate DAEMON Tools website had been trojanized starting April 8, 2026, covering versions 12.5.0.2421 through 12.5.0.2434.

The altered builds changed signed DAEMON Tools binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. At startup, the implanted code contacted env-check.daemontools.cc, a lookalike domain registered shortly before the campaign, and could receive shell commands to download and run follow-on payloads.

Most observed infections received an information collector. It gathered MAC address, host and DNS names, running processes, installed software, and locale, then posted the profile to attacker infrastructure. That stage let the operators sort a broad installer compromise into a smaller list of useful targets.

A few machines received a minimal backdoor, and one observed organization received QUIC RAT. Kaspersky described the latter as a C++ implant supporting HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, with injection into notepad.exe and conhost.exe. The vendor later acknowledged the issue and released 12.6.0.2445 without the malicious behavior.

Affected Artifacts

DAEMON Tools Lite

windows installer · daemontools.cc · Binary Archive

Observed: 2026-04-08 to 2026-05-06
Compromised Versions: 12.5.0.2421 - 12.5.0.2434
Fixed: 12.6.0.2445
Hashes: sha1:9ccd769624de98eeeb12714ff1707ec4f5bf196d

sha1:50d47adb6dd45215c7cb4c68bae28b129ca09645

sha1:0c1d3da9c7a651ba40b40e12d48ebd32b3f31820

+5 more
Evidence: distribution: files.disc-soft.com/inst/DTLite64.exe

Kaspersky listed these SHA-1 values as infected DAEMON Tools Lite installer hashes and mapped them to versions 12.5.0.2421, 12.5.0.2422, 12.5.0.2423, 12.5.0.2424, 12.5.0.2430, 12.5.0.2431, 12.5.0.2433, and 12.5.0.2434.
Earlier local SHA-256 values were removed because the source text did not identify the exact DAEMON Tools installer file for each digest.

Incident Context

Motive: Espionage Or Targeted Intrusion
Cause: Website Compromise
Transitive: No
Actor: Unknown Chinese-speaking actor

Indicators

familyQUIC RAT
domainenv-check.daemontools.cc
ip38.180.107.76
urlhttps://env-check.daemontools.cc/2032716822411
urlhttp://38.180.107.76/09505aca4f538bd
urlhttp://38.180.107.76/79437f5edda13f9c066/version/check
fileDTHelper.exe
fileDiscSoftBusServiceLite.exe
fileDTShellHlp.exe
fileenvchk.exe
filecdg.exe
filecdg.tmp
filemcrypto.chiper
filemcrypto.dat
processnotepad.exe
processconhost.exe
protocolQUIC
protocolHTTP/3
file_sha1envchk.exe 2d4eb55b01f59c62c6de9aacba9b47267d398fe4
file_sha1cdg.exe 9dbfc23ebf36b3c0b56d2f93116abb32656c42e4
file_sha1cdg.tmp 295ce86226b933e7262c2ce4b36bdd6c389aaaef
file_sha1mcrypto.chiper 98de8147394b74b27158e02ce9e7b0e25eb6e98a
file_sha1mcrypto.dat 2ecb292d27c36c1d4e47fb5cafa42af7ffbdda99
file_sha1minimalistic-backdoor-mcrypto a3e90653bd0a81ebe2ae387a67a59bb8d07ce7b5
file_sha1minimalistic-backdoor-cdg 3ee71d75020b2634b2c23866211a0c91b942c8d4
observableKaspersky observed thousands of attempted deployments across more than 100 countries.
observableFurther-stage payloads were deployed only to a small subset of infected machines.

External References

DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026securelist.com

Source record: proprietary/daemontools/meta.yaml