Trojanized DAEMON Tools Installers Used in Supply Chain Malware Attack
Official Windows installers for DAEMON Tools were compromised in a supply chain attack, with malicious versions distributed from the vendor’s legitimate website beginning on April 8. Kaspersky said the trojanized installers affected DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434, were signed with valid AVB Disc Soft certificates, and implanted a staged backdoor that contacted the typosquatted command-and-control domain env-check.daemontools[.]cc. TechCrunch reported that an independently downloaded installer also appeared to contain the backdoor when scanned, while Disc Soft said it was investigating and taking remediation steps.
Researchers observed thousands of infection attempts across more than 100 countries, but the attackers appear to have selectively escalated only a small number of victims in Russia, Belarus, and Thailand. Follow-on activity targeted organizations in the government, scientific, manufacturing, and retail sectors and included additional payloads such as an information stealer, an in-memory backdoor using RC4, and a more advanced QUIC RAT. Kaspersky said Chinese-language artifacts in the malware suggest a Chinese-speaking threat actor may be involved, though attribution remains unconfirmed, and urged defenders to hunt for related hashes, suspicious DAEMON Tools process activity, and communications with env-check.daemontools[.]cc and 38.180.107[.]76.
Timeline
May 5, 2026
Disc Soft acknowledges report and starts remediation
On publication day, Disc Soft said it was aware of the report, was investigating the issue, and was taking remediation steps, but had not yet confirmed all of the reported details. TechCrunch also independently downloaded the installer and observed signs of the backdoor via VirusTotal scanning.
May 5, 2026
Kaspersky discovers active DAEMON Tools supply chain attack
In early May 2026, Kaspersky identified that official DAEMON Tools installers had been trojanized and linked the campaign to thousands of infection attempts across more than 100 countries. Malware analysis found Chinese-language artifacts, leading Kaspersky to suspect a Chinese-speaking threat actor, though attribution was not confirmed.
Apr 8, 2026
Attackers escalate select infections into targeted intrusions
After initial infections, the attackers selectively deployed additional malware to a small subset of victims in Russia, Belarus, and Thailand, affecting organizations in government, scientific, manufacturing, and retail sectors. Later-stage payloads included an information stealer, an in-memory RC4-enabled backdoor, and QUIC RAT.
Apr 8, 2026
Trojanized DAEMON Tools installers begin distribution
Kaspersky said the supply chain attack began on 2026-04-08, when official Windows installers for DAEMON Tools Lite started being distributed from the vendor's legitimate website with a malicious backdoor embedded. The affected installer range included versions 12.5.0.2421 through 12.5.0.2434 and the files were signed with valid AVB Disc Soft certificates.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like securelist
Related Stories
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
1 months ago
SEO Poisoning and Fake Software Downloads Used to Deliver Credential Theft and RAT Malware
Threat actors are using **software impersonation** and **SEO poisoning** to push victims toward fake download sites for trusted enterprise and IT tools, then delivering malware through trojanized installers. In one campaign, **Storm-2561** used spoofed VPN vendor pages for products such as **Pulse Secure, Fortinet, and Ivanti** to steal enterprise VPN credentials. The malicious packages were hosted on GitHub, signed with a certificate issued to **"Taiyuan Lihua Near Information Technology Co., Ltd."**, and designed to show an error before redirecting victims to the legitimate vendor site, reducing suspicion while exfiltrating credentials. A separate but closely related campaign used fake **FileZilla** download pages to distribute a **Remote Access Trojan** through multi-stage loaders and **DLL sideloading**. Attackers bundled legitimate FileZilla software with a malicious `version.dll`, or dropped the DLL during installation so the malware would execute while the expected application appeared to install normally. Both reports describe the same broader intrusion pattern: adversaries abusing trusted brands, realistic lookalike websites, and legitimate software packaging to compromise users who believe they are downloading authentic tools. A separate **Warlock** intrusion analysis describing web shells, lateral movement, tunneling, and ransomware activity is a different incident and does not match this malware-delivery story.
1 weeks ago
Fake Software Downloads Deliver STX RAT and Vjw0rm via Layered Dropper Chains
Security researchers reported two malware campaigns using fake or trojanized software downloads to install remote access trojans with credential theft and persistence features. eSentire identified a previously undocumented **STX RAT** after an attempted intrusion against a finance-sector organization, where a browser-downloaded VBScript launched a multi-stage loader chain using **XXTEA** and **Zlib** unpacking, anti-analysis checks, and several persistence methods. The malware supports **HVNC**, in-memory payload execution, tunneling, screenshots, security-tool inventory, and theft of browser credentials, cookies, Windows Vault data, FTP client secrets, and cryptocurrency wallets. Its command-and-control design uses **X25519 ECDH**, **Ed25519**, **HKDF-SHA256**, and **ChaCha20-Poly1305** over a custom TCP protocol, with infrastructure reachable over both the clear web and **Tor**. A separate investigation by Breakglass Intelligence found a fake software keygen packaged as a malicious WinRAR self-extracting archive that deployed the **Vjw0rm** JavaScript RAT through a four-layer dropper chain. The infection used nested SFX archives, a compiled AutoHotkey loader, parallel payload paths, and three persistence mechanisms, while abusing `upaste[.]me` as a dead-drop service and hiding the RAT as an XML file later renamed to JavaScript for execution. Researchers said the operator appeared to be a Turkish-speaking commodity cybercrime actor relying on reused tooling, deceptive file paths, and bundled legitimate Windows files to evade detection, underscoring how software cracks, keygens, and trojanized installers remain effective delivery vectors for RATs and infostealers.
1 weeks ago