What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/9/2026

The Silent Backdoor: Kaspersky Exposes Trojanized DAEMON Tools Supply Chain Attack Across 100+ Countries

TL;DR

Kaspersky researchers disclosed an ongoing supply chain attack targeting DAEMON Tools, a widely used disk-image mounting software. Trojanized installers (versions 12.5.0.2421–12.5.0.2434) signed with legitimate developer certificates infected thousands of systems globally since April 8, 2026. Advanced backdoor implants were selectively deployed to a dozen government, manufacturing, scientific, and retail organizations in Russia, Belarus, and Thailand, suggesting highly targeted espionage operations.

What Happened

In early May 2026, Kaspersky's threat intelligence team identified malicious payloads embedded in official DAEMON Tools installers distributed through the vendor's legitimate website. The trojanized versions spanned from April 8 through at least late April, affecting installations across 100+ countries with the highest concentration in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

The attackers compromised multiple binaries within the DAEMON Tools installation directory and digitally signed them using certificates belonging to AVB Disc Soft (DAEMON Tools' parent company), allowing the malware to evade security tools and appear trustworthy during installation and execution. This certificate-level compromise is a hallmark of sophisticated, state-level or well-resourced APT operations.

On May 6, following Kaspersky's disclosure to AVB Disc Soft, the vendor released patched version 12.6.0.2445. The company acknowledged the compromise and released clean versions within 48 hours of notification.

Technical Details

Infection Scope & Targeting Strategy:

Thousands of deployment attempts identified globally across individuals and organizations.
Approximately 10% of affected systems belonged to businesses and organizations.
Attackers deployed two-stage payloads: a lightweight information collector (broad distribution) and a complex backdoor (highly selective deployment).
Only a dozen systems received the advanced backdoor implant, concentrated in Russia, Belarus, and Thailand—indicating surgical, targeted selection based on victim profiling.

Malware Behavior:

1. Persistence & Stealth: The backdoor activates automatically during system startup by embedding itself within CRT initialization code, executing through a dedicated thread. It remains fileless in many scenarios.

2. Command & Control: Infected machines send GET requests containing the full computer name to a typosquatted C&C domain (env-check.daemontools[.]cc, registered March 27—one week before the attack began). The malicious domain mimics the legitimate daemon-tools[.]cc.

3. Profiling & Selective Deployment: The information collector gathers system and user telemetry, which attackers use to profile machines and identify high-value targets for second-stage payload delivery.

4. Forensic Indicators: Kaspersky identified artifacts suggesting Chinese-speaking threat actors, including linguistic markers in the malicious implants.

Timing & Complexity:

Detection latency: ~1 month (consistent with the 3CX supply chain attack of 2023).
Indicates sophisticated operational security and code obfuscation.
Suggests nation-state or advanced organized crime group capability.

Lyrie Assessment

This attack exemplifies the evolving threat landscape that Lyrie.ai's autonomous defense systems are designed to combat:

1. Trust Boundary Collapse: DAEMON Tools' ubiquity and legitimacy made it a perfect supply chain vector. Organizations trusted the software and the digital signatures; the attacker exploited this trust completely. Signature-based security alone will never catch supply chain attacks once the signing key is compromised.

2. Profiling & Selective Targeting: The two-stage deployment pattern reveals attacker sophistication. Initial compromise is broad; secondary payload delivery is surgical. This is precisely where behavioral anomaly detection and autonomous incident response excel—catching the profiling queries and blocking lateral movement before high-value targets are pwned.

3. Attribution & Motive Opacity: While forensics suggest Chinese-speaking actors, the intent remains unclear (cyberespionage vs. financial extortion). This ambiguity is dangerous: organizations cannot assume the attackers are passive "researchers"—they may be preparing destructive campaigns, ransomware deployment, or supply chain poisoning.

4. Credential & Configuration Harvest Risk: DAEMON Tools installations often run with elevated privileges. Machines with developer tooling (GitHub, Docker, CI/CD configs) are particularly high-value. A compromise here enables downstream attacks on software repositories, cloud infrastructure, and build pipelines.

5. Industry Pattern: This is the fourth major supply chain compromise in 2026 alone (eScan, Notepad++, CPU-Z, DAEMON Tools). Attackers have industrialized supply chain intrusion. Organizations need supply chain integrity verification as a default control, not an afterthought.

Recommended Actions

Immediate (0–24 hours):

Update DAEMON Tools to version 12.6.0.2445 or later across all systems.
Scan systems running DAEMON Tools versions 12.5.0.2421–12.5.0.2434 for anomalous network traffic to env-check.daemontools[.]cc and similar typosquatted domains.
Review process creation logs for unexpected rundll32, powershell, or cmd.exe activity originating from DAEMON Tools installation directories.

Short-term (1–7 days):

Inspect affected systems for persistence mechanisms: systemd units, crontab entries, bashrc/profile modifications, LD_PRELOAD hijacking.
Harvest endpoint telemetry for April 8–May 6 and correlate with DAEMON Tools file hash signatures (provided by Kaspersky's KATA rules).
Isolate any systems that contacted C&C infrastructure; preserve logs for forensic analysis.
Revoke and rotate credentials (API keys, GitHub tokens, AWS keys, Docker registry credentials) if stored on compromised endpoints.

Medium-term (1–4 weeks):

Implement software bill of materials (SBOM) verification and digest validation for all third-party binaries.
Deploy behavioral anomaly detection to flag post-compromise command & control communication (raw TCP beacons, DNS tunneling).
Enforce code signing certificate pinning in organizational software deployment pipelines.
Conduct supply chain risk assessments for all widely deployed software; prioritize tools with administrative access.

Strategic:

Transition to zero-trust supply chain security: assume every trusted binary is a potential compromise vector.
Deploy autonomous threat response to detect profiling behavior (system enumeration, credential harvesting) and block secondary payload delivery before human analysts wake up.
Integrate Kaspersky, CrowdStrike, Mandiant, and other vendor threat intelligence into real-time detection rules.