A valid signature is not a vouch

For 27 days, the official DAEMON Tools Lite installer carried a valid Disc Soft Authenticode signature and a backdoor. SmartScreen passed it. Most signature-based AV passed it. The static checks all said the file was what the vendor meant to ship, because by every definition those tools use, it was.

The trojanized window ran from April 8 to May 5, 2026, when AVB Disc Soft pushed a clean release after confirming “unauthorised interference” within its build environment. Three binaries inside the install bundle were modified: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All three were re-signed with the legitimate Disc Soft developer certificate. That is not a clever bypass. That is the signing pipeline doing its job on inputs an attacker controlled.

What actually happened

Kaspersky disclosed the campaign on May 6, the day after Disc Soft shipped clean version 12.6.0.2445. Anything in the 12.5.0.2421 through 12.5.0.2434 range from the affected window is suspect. Pro and Ultra editions were not implicated. The macOS build was untouched.

The malware ran in three stages, and the gating is the interesting part.

Every machine that ran an infected installer got the first stage. A small .NET collector called envchk.exe harvested MAC address, hostname, DNS domain, Windows language, running processes, and installed software, then beaconed to a C2 host at env-check.daemontools[.]cc. Note the missing hyphen. The legitimate vendor domain is daemon-tools.cc. The typosquat was registered on March 27, twelve days before the first poisoned installer appeared, which is not the timeline of an opportunist. Persistence was free: the malicious code lived inside the CRT initialization of binaries DAEMON Tools already autostarts. No registry key to flag, no scheduled task to find, no separate “malware process” in the task list.

The second stage was where the campaign narrowed. Of several thousand first-stage infections across more than 100 countries, roughly a dozen got promoted to a shellcode loader pair (cdg.exe and the encrypted blob cdg.tmp) that decrypted and executed in memory. Victims sat in government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. Whether the selection logic was automated locale filtering or manual operator triage of beacon data is not publicly described. Both fit the victim set.

Stage three was novel. In at least one observed case, against a Russian educational institute, the operators dropped a previously unseen C++ implant Kaspersky named QUIC RAT. It is statically linked against WolfSSL, obfuscated with control-flow flattening, and speaks seven C2 transport protocols: HTTP, HTTP/3, QUIC, UDP, TCP, WebSockets, and DNS. The QUIC and HTTP/3 pairing is the operationally interesting choice. Both ride UDP, both are encrypted by default, both increasingly look like browser traffic that enterprise inspection stacks pass without comment. To stay invisible on the host, QUIC RAT injects into notepad.exe and conhost.exe rather than spawning its own process.

What attribution actually says

Kaspersky’s write-up attributes the campaign to a “Chinese-speaking” actor on the basis of language strings inside the implants. The same press release is careful to add that the activity “has not been attributed to any known threat actor or group.” No APT41, no Mustang Panda, no ToddyCat. No infrastructure overlap, no shared malware family, no shared TTP fingerprint.

Language strings are weak evidence on their own. They reflect a developer’s first language, a copied code library, or, in the cynical reading, a deliberate seed by someone who knows attribution analysts will reach for them. Kaspersky stops at “Chinese-speaking” precisely because they know this. The careful wording is doing real work, and downstream coverage should preserve it. As of mid-May, no other major vendor, Microsoft, Mandiant, CrowdStrike, ESET, ThreatBook, has published independent analysis. The second-stage country combination, Russia and Belarus and Thailand, does not map cleanly onto any documented Chinese-speaking APT victimology either. The honest read is that targeting looks operator-driven, not country-coded, and that is as far as the public evidence goes.

Why the vendor silence matters more than the malware

As of mid-May 2026, AVB Disc Soft has not published a standalone security advisory with a CVE assignment or a structured IOC list. The vendor confirmed the breach, shipped the fix, posted a statement, and stopped. The actionable detection material, hashes, the typosquatted C2 domain, the modified binary list, the stage-two filenames, lives in a Kaspersky blog post. If your detection pipeline keys off vendor advisories or CVE feeds, you had no official trigger to act from during the 27-day window and you still don’t.

This is a pattern in the freeware-utility category. The vendor’s interest in a clean cutover (one statement, one new version, move on) and the defender’s interest in actionable telemetry (hashes, IOCs, a tracked identifier, a structured advisory) are not aligned. The asymmetry resolves the way you would expect: the vendor goes quiet, and a paid threat-intel team’s blog becomes the de facto official channel. Organizations that treat threat-intel vendors as supplements rather than primary sources are paying a hidden tax every time this happens.

The mechanism rotates, the lesson does not

SolarWinds in 2020. 3CX in March 2023. AnyDesk in January 2024. XZ Utils in March 2024. The Shai-Hulud npm worm earlier this month. Now DAEMON Tools. The compromised surface changes each time: build server, signing key, package registry, source tarball, build environment. The trust model underneath does not.

What flagged this campaign was behavior. Kaspersky’s telemetry caught a disc-mounting utility making startup-time outbound GETs to a domain nobody had whitelisted. That is the same class of signal that caught 3CX before signatures landed, when Palo Alto’s Cortex XDR flagged 3CXDesktopApp.exe based on outbound behavior. It is the class of signal that signature-only stacks repeatedly fail to produce, and the gap between “trusted vendor binary” and “this binary is doing something it has never done before” is exactly where these campaigns live.

What to do today

If you have DAEMON Tools Lite installed and the install date falls between April 8 and May 5: assume compromise. Check the version against 12.5.0.2421 through 12.5.0.2434. Look at DNS for any outbound resolution of env-check.daemontools[.]cc. Hunt the disk for envchk.exe, cdg.exe, and cdg.tmp. For QUIC RAT specifically, anomalous outbound UDP or QUIC from notepad.exe or conhost.exe is the behavioral fingerprint, because those processes have no business making outbound connections at all. Uninstall, full endpoint scan, then reinstall from 12.6.0.2445 or later.

The harder action item is structural. When a vendor’s response is one paragraph and a version bump, do not wait for the advisory that is not coming. Build the muscle to act on third-party threat intel as a primary source, because in this category it already is. PatchDay Alert exists because that muscle is hard to build alone.

Sources

• DAEMON Tools devs confirm breach, release malware-free version — 2026-05-06
• Popular DAEMON Tools software compromised — 2026-05-06
• Kaspersky identifies ongoing supply chain attack on official Daemon Tools website distributing backdoor malware — 2026-05-06
• DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware — 2026-05-06
• DAEMON Tools trojanized in supply-chain attack to deploy backdoor — 2026-05-06
• Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack — 2026-05-06
• The 3CX Supply Chain Attack: When Trusted Software Turns Malicious — 2023-03