⚡ Key Takeaways

Trojanized DAEMON Tools Lite installers (versions 12.5.0.2421–12.5.0.2434) were distributed from April 8, 2026, reaching thousands of machines across 100+ countries before Kaspersky researchers uncovered the campaign. Only a dozen high-value targets in government, manufacturing, and scientific sectors received advanced backdoor implants — a precision strategy that exploited supply chain trust while minimizing detection risk.

Bottom Line: Security teams should immediately audit for compromised DAEMON Tools versions, block the C2 domain env-check.daemontools[.]cc, and add startup-service baseline monitoring to their endpoint programs.

Read Full Analysis ↓

🧭 Decision Radar

Relevance for Algeria
High
Algeria recorded over 70 million cyberattacks in 2024, ranking 17th globally. Disk image utilities like DAEMON Tools are widely used in Algerian enterprise and government IT environments that rely on Windows. Supply chain attacks via trusted installers are a direct threat to any organization without software integrity controls.
Infrastructure Ready?
Partial
Algerian enterprises with ASSI-aligned cybersecurity units and EDR deployments can implement the C2 blocking and process monitoring recommendations. Most SMEs lack the NDR-level visibility required to detect the profiling stage of this attack type.
Skills Available?
Limited
Threat hunting and process injection detection require specialized SOC skills. Algeria’s Ministry of Vocational Education is expanding cybersecurity training capacity, but analysts trained to investigate startup service anomalies remain scarce outside major enterprises.
Action Timeline
Immediate
Organizations running DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434 should audit and update today. The C2 domain block is a same-day action. SBOM and baseline telemetry programs require 6-12 months to operationalize.
Key Stakeholders
CTOs, IT Security Teams, Procurement Officers, Public Sector IT Directors
Decision Type
Tactical
This article provides specific, immediate actions that security teams can execute to detect and mitigate this specific campaign, as well as structural fixes to prevent recurrence.

Quick Take: Algerian IT teams should immediately scan for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434 and block the C2 domain env-check.daemontools[.]cc at DNS. Longer term, ASSI-aligned enterprises should add disk utility vendors to their vendor security programs and enforce startup baseline monitoring — a gap this campaign exploited with precision.

Advertisement

How a Trusted Disk Image Tool Became a Delivery Vector

DAEMON Tools is one of the most widely installed disk-image utilities on Windows, used by IT teams, developers, and home users across industries. On April 8, 2026, attackers began distributing modified versions of DAEMON Tools Lite — specifically versions 12.5.0.2421 through 12.5.0.2434 — that carried a hidden backdoor alongside the legitimate application. The tampering went undetected for approximately one month before Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin published their analysis.

The attackers registered the command-and-control domain “env-check.daemontools[.]cc” on March 27, 2026 — twelve days before the first infected installer appeared in the wild. That advance preparation signals a deliberately planned campaign, not an opportunistic drive-by.

Three core executable components of DAEMON Tools were modified:

  • DTHelper.exe — the main launcher
  • DiscSoftBusServiceLite.exe — the background service
  • DTShellHlp.exe — the shell helper

When any of these components launched during system startup, an embedded thread began sending HTTP GET requests to the malicious C2 domain, transmitting the infected machine’s full computer name. This allowed attackers to identify and profile every victim before deciding whether to escalate. According to Bleepingcomputer’s May 2026 security roundup, the campaign produced “several thousand infection attempts” across more than 100 countries.

The Two-Stage Architecture: Profiling at Scale, Precision at the End

What makes this attack technically sophisticated is its two-stage payload deployment — a design that exposes only the most valuable targets to advanced tooling while keeping noise to a minimum.

Stage 1 — Mass profiling: The envchk.exe information collector was dispatched to thousands of compromised machines. Its sole function was reconnaissance: collect system telemetry and machine identifiers, transmit to the C2, and await further instructions. This stage by itself produces minimal forensic artifacts and rarely triggers endpoint detection.

Stage 2 — Selective backdoor: Across the entire “several thousand” victim pool, only approximately a dozen systems received the advanced secondary payload: cdg.exe/cdg.tmp, a shellcode loader that activated a minimalistic but capable backdoor. That backdoor supported an unusually broad range of C2 communication protocols — HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3 — making network-level blocking difficult. It also performed process injection into notepad.exe and conhost.exe, two processes that are almost always whitelisted by enterprise endpoint controls.

The dozen systems that received the full implant belonged to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One educational institution in Russia additionally received the QUIC RAT, a dedicated remote access trojan delivered over the QUIC transport protocol, which is increasingly popular in legitimate applications and therefore rarely blocked at the network boundary.

Kaspersky researchers noted “artifacts suggesting that the threat actor behind this attack is Chinese-speaking,” though they stopped short of formal attribution.

Advertisement

What Enterprise Security Teams Should Do Now

The DAEMON Tools campaign is a blueprint for how supply chain trust gets weaponized. Software that is signed, widely distributed, and runs a background service on startup is an ideal vector precisely because it passes the filters most organizations rely on. The following prescriptions address the structural gaps this campaign exploited.

1. Audit Your Software Inventory for Trojanized DAEMON Tools Versions

The specific compromised versions are 12.5.0.2421 through 12.5.0.2434 on Windows. Any organization with DAEMON Tools Lite installed should run an immediate inventory scan and compare installed versions against the safe list. Kaspersky’s Anti Targeted Attack (KATA) platform added detection rules via its Network Detection and Response (NDR) module, and the KEDR Expert feed contains the relevant indicators. The known malicious C2 domain is env-check.daemontools[.]cc — block this at DNS and proxy layers immediately and retrospectively query DNS logs for any historical resolution.

2. Implement Software Bill of Materials (SBOM) Requirements for Disk Utility Tools

Disk image and virtualization utilities — DAEMON Tools, WinCDEmu, Virtual CloneDrive — are a neglected category in most vendor security programs. They receive low scrutiny because they are perceived as utilities rather than business applications, yet they run at startup with system privileges. Require SBOMs from utility vendors, monitor official download checksums from a secondary source before mass deployment, and flag any installer that modifies startup entries or registers background services.

3. Enforce Process Injection Monitoring for Whitelisted Processes

This attack injected into notepad.exe and conhost.exe — processes that virtually every enterprise allowlist treats as benign. Endpoint Detection and Response (EDR) rules must specifically monitor for unusual memory writes into these processes, especially originating from application services that should not be writing to them. Barracuda’s May 2026 malware brief highlights that process injection into whitelisted system binaries is the dominant evasion technique across 2026’s supply chain campaigns.

4. Apply Multi-Protocol C2 Blocking at the Network Edge

The DAEMON Tools backdoor communicated over HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3 — a protocol mix designed to ensure at least one channel survives standard firewall rules. Organizations relying on TCP/HTTP-only blocking will miss QUIC- and DNS-based channels. Network security policies should explicitly inspect and restrict QUIC (UDP port 443) for non-browser processes, enable DNS response policy zones (RPZ) to block known malicious domains, and log all DNS queries from startup services for retrospective analysis.

5. Establish Baseline Startup Telemetry Before Installing Any Utility

Every endpoint should have a recorded startup baseline — a snapshot of all processes, services, and scheduled tasks that load at boot — captured at provisioning time and refreshed quarterly. Deviations from baseline (new services, new network connections at startup) should automatically generate alerts. The DAEMON Tools attack would have been immediately visible as DiscSoftBusServiceLite.exe initiating network connections to an external domain, which is not expected behavior for a disk image service.

The Structural Lesson

The DAEMON Tools campaign reveals a structural weakness in how enterprise security programs categorize software risk. Organizations invest heavily in vetting mission-critical applications — ERP systems, cloud platforms, business intelligence tools — while desktop utilities that run with system privileges and establish persistent startup services receive minimal scrutiny. The attackers understood this asymmetry and exploited it.

The profiling-then-targeting architecture is also notable: rather than deploying a single payload universally and accepting the detection risk, the attackers used mass reconnaissance to earn precision. Only twelve organizations out of thousands of victims received the advanced implant. That level of selectivity means the campaign could have continued indefinitely without triggering widespread threat intelligence sharing — most victims never knew they were profiled.

The Kaspersky detection of this campaign is a reminder that supply chain threats require network-level visibility, not just endpoint signatures. The C2 domain was registered twelve days before the first infection, leaving a window during which a proactive threat intelligence subscription would have flagged it. Organizations that rely exclusively on endpoint AV and rely on vendors to self-report compromises will continue to be the last to know.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

What versions of DAEMON Tools were compromised in the supply chain attack?

DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 for Windows were confirmed as trojanized. The malicious installers were active from April 8, 2026 until Kaspersky’s discovery approximately one month later. Users running these versions should update immediately to a clean release and audit their startup services for the presence of unauthorized network connections.

How did the attackers decide which victims to target with the full backdoor?

The campaign used a two-stage approach: the envchk.exe profiler was deployed to thousands of machines to collect system identifiers and transmit them to the C2. Attackers then manually selected roughly a dozen high-value targets — in government, manufacturing, and scientific organizations — for delivery of the advanced backdoor. This selective deployment kept the attack quiet and made it difficult to detect through threat intelligence sharing.

What is the QUIC RAT and why does it make detection harder?

The QUIC RAT is a remote access trojan that communicates over the QUIC transport protocol — the same protocol used by modern browsers for HTTPS traffic. Most enterprise firewalls and proxies do not inspect QUIC traffic from non-browser processes, making it an effective covert channel. Security teams should configure network controls to explicitly block QUIC (UDP port 443) for processes that are not recognized browsers, and alert on any startup service establishing QUIC connections.

Sources & Further Reading