DAEMON Tools trojanized in supply-chain attack to deploy backdoor

A sophisticated software supply-chain attack has compromised multiple versions of DAEMON Tools, resulting in the distribution of trojanized installers that deployed a stealth backdoor to thousands of devices worldwide.

The malicious installers were reportedly distributed through the software’s official website beginning on April 8, exposing organizations and individual users across more than 100 countries. While the initial infection campaign was broad, researchers observed second-stage malware deployment on only a limited number of systems, indicating a highly selective and targeted operation.

Trojanized DAEMON Tools Installers Identified

The compromised software versions include releases ranging from:

12.5.0.2421 → 12.5.0.2434

Affected binaries reportedly include:

  • DTHelper.exe
  • DiscSoftBusServiceLite.exe
  • DTShellHlp.exe

These executables were digitally signed, allowing the malware to appear legitimate and reducing the likelihood of detection by users and security products.

DAEMON Tools is a Windows-based utility designed to mount disk image files as virtual drives. Although its popularity peaked in the 2000s among gamers and power users, it is still used in environments requiring virtual media management and legacy disk image support.

How the Supply-Chain Attack Worked

The attack leveraged trusted software distribution channels, a hallmark of modern supply-chain compromises.

When users downloaded and launched the infected installers, embedded malicious code executed automatically. The malware established persistence on the host system and activated a hidden backdoor during system startup.

This initial access allowed attackers to maintain remote communication with infected systems and selectively deploy additional payloads based on victim profiling.

First-Stage Malware Focused on Reconnaissance

The first-stage payload functioned primarily as an information stealer used for reconnaissance and target evaluation.

Collected data reportedly included:

  • Hostname information
  • MAC addresses
  • Running processes
  • Installed software inventories
  • System locale and regional settings

This information was transmitted back to attacker-controlled infrastructure to identify high-value targets suitable for further exploitation.

The selective deployment strategy strongly suggests the operation was designed for espionage or targeted intrusion rather than mass financial cybercrime.

Second-Stage Payloads Delivered to High-Value Targets

Only a small subset of infected systems received additional malware components. Observed victims reportedly included organizations operating in:

  • Retail
  • Scientific research
  • Government
  • Manufacturing sectors

Targeted organizations were primarily located in:

  • Russia
  • Belarus
  • Thailand

The second-stage malware acted as a lightweight backdoor capable of:

  • Executing remote commands
  • Downloading additional files
  • Running code directly in memory

Memory-only execution is particularly dangerous because it reduces forensic artifacts and helps attackers evade traditional endpoint security solutions.

Advanced QUIC RAT Malware Observed

In at least one documented case involving an educational institution, attackers deployed a more advanced remote access trojan known as:

QUIC RAT

This malware supports multiple communication protocols and includes process injection capabilities that allow malicious code to run inside legitimate Windows processes.

Such techniques help attackers:

  • Evade endpoint detection systems
  • Blend into normal system activity
  • Maintain long-term stealth persistence

The use of QUIC RAT indicates a mature and technically capable threat actor with access to advanced tooling.

Indicators of a Sophisticated Supply-Chain Operation

The compromise reportedly remained undetected for nearly a month, underscoring the complexity of the intrusion and the difficulty of identifying malicious code embedded inside trusted software.

Several characteristics suggest a highly organized operation:

  • Digitally signed malicious binaries
  • Selective second-stage deployment
  • Memory-resident payload execution
  • Sophisticated victim profiling
  • Stealth-oriented persistence mechanisms

Researchers also noted linguistic indicators within the malware suggesting the attackers may be Chinese-speaking, although no definitive attribution has been publicly confirmed.

Growing Trend of Software Supply-Chain Attacks

The DAEMON Tools incident is part of a broader surge in software supply-chain attacks targeting trusted software ecosystems.

Attackers increasingly compromise:

  • Software installers
  • Package repositories
  • Browser extensions
  • CI/CD pipelines
  • Open-source dependencies

By weaponizing trusted applications, threat actors can bypass conventional security assumptions and infiltrate enterprise environments through legitimate update channels.

This trend mirrors recent attacks involving developer platforms, package managers, and trusted software vendors across the broader technology ecosystem.

Recommended Security Actions for Organizations

Organizations and users who installed affected DAEMON Tools versions should immediately investigate their systems for signs of compromise.

Recommended response measures include:

1. Remove Affected Software Versions

Uninstall compromised DAEMON Tools builds and replace them only with verified clean releases.

2. Conduct Endpoint Threat Hunting

Inspect systems for:

  • Suspicious persistence mechanisms
  • Unexpected outbound connections
  • Unauthorized processes
  • In-memory code execution activity

3. Rotate Credentials

Assume that locally stored credentials or session tokens may have been exposed.

4. Review Network Activity

Analyze logs for command-and-control communication or unusual file downloads occurring after April 8.

5. Strengthen Supply-Chain Security Controls

Organizations should implement:

  • Application allowlisting
  • Code-signing verification
  • Behavioral endpoint detection
  • Software integrity monitoring
  • Sandboxed software testing environments

Why Supply-Chain Attacks Are Increasingly Dangerous

Supply-chain attacks remain one of the most effective cyberattack methods because they exploit trust relationships already established between users, vendors, and software ecosystems.

Unlike phishing or brute-force attacks, trojanized software installers can bypass user suspicion entirely, especially when:

  • Files are digitally signed
  • Downloads come from official websites
  • Software updates appear legitimate

As attackers continue targeting trusted distribution channels, organizations must move beyond traditional perimeter defenses and adopt continuous validation of software integrity across their environments.