{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/daemon-tools-12.5.0.2421-to-12.5.0.2434/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Daemon Tools (12.5.0.2421 to 12.5.0.2434)"],"_cs_severities":["high"],"_cs_tags":["supply-chain","backdoor","daemon tools"],"_cs_type":"advisory","_cs_vendors":["AVB Disc Soft"],"content_html":"\u003cp\u003eIn May 2026, Kaspersky reported a supply chain attack targeting government, scientific, manufacturing, and retail organizations through compromised versions of Daemon Tools disk imaging software. Attackers injected malicious code into Daemon Tools versions 12.5.0.2421 to 12.5.0.2434, which were available for download from the legitimate website starting April 8, 2026. Three binaries within the software—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—were compromised with injected code and signed with valid AVB Disc Soft certificates. This resulted in a widespread initial infection attempting to deploy an information collector across over 100 countries. After the initial infection, the attackers deployed a second, minimalistic backdoor on a dozen systems of interest in Belarus, Russia, and Thailand, and the QUIC RAT on a single educational institution in Russia.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttackers inject malicious code into legitimate Daemon Tools binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe).\u003c/li\u003e\n\u003cli\u003eCompromised Daemon Tools versions 12.5.0.2421 to 12.5.0.2434 are made available for download via the legitimate website.\u003c/li\u003e\n\u003cli\u003eUsers download and install the trojanized Daemon Tools software.\u003c/li\u003e\n\u003cli\u003eWhen one of the compromised binaries is launched (at machine startup), the injected backdoor is activated.\u003c/li\u003e\n\u003cli\u003eThe backdoor sends requests to a typosquatting domain.\u003c/li\u003e\n\u003cli\u003eThe server responds with a shell command executed via command prompt to fetch and run a payload.\u003c/li\u003e\n\u003cli\u003eThe attackers deploy an information collector on thousands of machines across over 100 countries.\u003c/li\u003e\n\u003cli\u003eBased on collected information, the attackers deploy a second, minimalistic backdoor on select systems and the QUIC RAT on others for further exploitation and data collection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe supply chain attack compromised government, scientific, manufacturing, and retail organizations. While thousands of machines were initially infected to deploy an information collector, a second backdoor was specifically deployed to a dozen systems in Belarus, Russia, and Thailand. The QUIC RAT was deployed against an educational institution in Russia. The intent of the attackers is unclear, but the targeted nature of the second-stage infections suggests cyberespionage or \u0026ldquo;big game hunting.\u0026rdquo;\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process executions for the compromised Daemon Tools binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe) using process_creation logs.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to known typosquatting domains associated with the attack.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect malicious command line activity and modified Daemon Tools binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T08:34:11Z","date_published":"2026-05-06T08:34:11Z","id":"/briefs/2026-05-daemon-tools-supply-chain/","summary":"A supply chain attack involving trojanized Daemon Tools versions 12.5.0.2421 to 12.5.0.2434 delivered a sophisticated backdoor to a limited number of government, scientific, manufacturing, and retail organizations after a broader initial infection.","title":"Daemon Tools Supply Chain Attack Targeting Government and Scientific Entities","url":"https://feed.craftedsignal.io/briefs/2026-05-daemon-tools-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Daemon Tools (12.5.0.2421 to 12.5.0.2434)","version":"https://jsonfeed.org/version/1.1"}