What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/5/2026

The Virtual Drive That Became a Backdoor: DAEMON Tools Supply-Chain Attack Delivers QUIC RAT to Government, Manufacturing, and Scientific Organizations

TL;DR

Since April 8, 2026, trojanized DAEMON Tools installers (versions 12.5.0.2421–12.5.0.2434) have been served from the official website with digitally signed backdoors. A sophisticated multi-stage attack delivered infostealer + lightweight backdoor + QUIC RAT malware to thousands across 100+ countries, with targeted second-stage payloads hitting government and manufacturing organizations in Russia, Belarus, and Thailand.

What Happened

On May 5, 2026, Kaspersky disclosed an active supply-chain attack against DAEMON Tools, the Windows disk image mounting software used by millions of power users, system administrators, and enterprise environments. Threat actors compromised the official installer distribution, injecting trojaned code into the binaries themselves.

Attack Timeline:

April 8, 2026: Trojanized installers first appeared on the official DAEMON Tools website
April 8–May 5: Attack remained undetected for almost one month
May 5, 2026: Kaspersky publicly disclosed the compromise
Status: Attack ongoing at time of disclosure

Scope:

Infected versions: DAEMON Tools 12.5.0.2421 through 12.5.0.2434
Compromised binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe
Global reach: Thousands of infections across 100+ countries
Targeted second-stage: Approximately 12 victims received advanced payloads

Victims: Government, retail, scientific research, and manufacturing organizations in Russia, Belarus, and Thailand.

Technical Details

Initial Compromise Vector

Threat actors obtained unauthorized access to DAEMON Tools' build or distribution infrastructure and modified legitimate installer binaries with embedded malicious code. The modified installers carried valid digital signatures, allowing them to pass Windows SmartScreen and other OS-level integrity checks.

Payload Architecture

Stage 1: Information Stealer

Embedded in trojanized binary on first execution
Collects: hostname, MAC address, running processes, installed software, system locale
Establishes persistence via startup execution
Reports victim profile to attacker server for triage

Stage 2: Lightweight Backdoor (for most victims)

Deployed selectively based on victim profiling
Capabilities: Command execution, file download, in-memory code injection
Minimal footprint to evade detection

Stage 3: QUIC RAT (high-value targets)

Deployed in targeted cases (e.g., Russian educational institute)
QUIC protocol support for multi-channel communication
Process injection for stealth
Advanced persistence and lateral movement capabilities

Attacker Attribution

Kaspersky researchers identified Chinese-language strings and development artifacts in the first-stage payload, suggesting Chinese-speaking threat actor involvement. The attack's sophistication—credential-stealing infrastructure, valid code-signing integration, multi-stage payload triage, and protocol diversification—points to nation-state or advanced APT-tier capability.

Lyrie Assessment

Why CISOs Should Care:

1. Desktop → Enterprise Convergence: DAEMON Tools is utility software with deep system access. Its presence in enterprise environments (system administrators, IT support, technical teams) makes it a high-leverage supply-chain target.

2. The Evasion Window Problem: This attack remained undetected for ~27 days on an official distribution channel. Your EDR/antivirus may not catch trojanized binaries that are cryptographically signed and distributed from legitimate sources.

3. Government + Manufacturing Targeting: The selective second-stage deployment (12 machines receiving QUIC RAT) suggests reconnaissance-driven espionage. This pattern matches critical infrastructure targeting: identify high-value assets, then deploy advanced implants.

4. The Verification Paradox: Even if your security team monitors package integrity, supply-chain attacks that occur at the vendor level bypass your controls. Developers and admins installing from the "official" website will not be flagged.

5. Autonomous Defense Angle: Lyrie's core mission is identifying infrastructure that threat actors use. DAEMON Tools' legitimate use (virtual drive mounting) as a trojanized distribution channel demonstrates the false binary between "legitimate tool" and "attack infrastructure"—modern threats weaponize utility software, not just commodity malware.

Recommended Actions

Immediate (24–48 hours):

1. Identify all machines with DAEMON Tools installed (especially versions 12.5.0.2421–2434)

2. Check installation dates against April 8–May 5 window

3. Quarantine affected systems pending forensic analysis

4. Search logs for persistence mechanisms (scheduled tasks, startup entries, WMI subscriptions)

5. Hunt for IOCs: DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe modified times April 8+

Short-term (48–168 hours):

1. Forensic imaging of affected machines (malware may have staged lateral-movement payloads in memory)

2. Network segmentation: isolate any system that received second-stage payloads

3. Credential reset for any admin or service account that logged in from affected machines

4. Query EDR/SIEM for QUIC protocol anomalies, suspicious child processes from DAEMON Tools binaries, or unexpected outbound connections

Long-term (strategic):

1. Implement application allow-listing to restrict unsigned or anomalously-signed code execution

2. Monitor software supply-chain integrity: use vendor-signed manifests, cryptographic pinning, or air-gapped software repos for critical infrastructure

3. Deploy behavioral analysis: even signed binaries can be monitored for suspicious persistence, credential access, or command-and-control patterns

4. Assume compromise: treat every utility software installation as a potential pivot point for lateral movement

Sources

1. https://securelist.com/tr/daemon-tools-backdoor/119654/ (Kaspersky Securelist – Original Discovery, 11 hours ago)

2. https://www.kaspersky.com/about/press-releases/kaspersky-identifies-ongoing-supply-chain-attack-on-official-daemon-tools-website-distributing-backdoor-malware (Kaspersky Press Release, 7 hours ago)

3. https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/ (Kaspersky Blog Deep-Dive, 7 hours ago)

4. https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/ (BleepingComputer, 19 minutes ago)

5. https://cybersecuritynews.com/daemon-tools-software-hacked/ (CyberSecurityNews, 6 hours ago)

6. https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html (The Hacker News, 3 hours ago)

Lyrie.ai Cyber Research Division