What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

Signed, Sealed, Delivered Malware: The DAEMON Tools Supply Chain Attack and the QUIC RAT That Followed

← Supply-Chain

0 sources verified·9 min read

By Lyrie.ai Senior Analyst Desk·5/10/2026

TL;DR

Between April 8 and May 6, 2026, the official installers for DAEMON Tools Lite — a widely-used Windows disk image utility — were silently backdoored by a suspected Chinese-speaking threat actor. The malicious builds carried valid digital signatures from the software's own developer, AVB Disc Soft. Kaspersky GReAT researchers detected the campaign in early May after observing thousands of infection attempts across 100+ countries. Of those, roughly a dozen high-value targets in government, science, and manufacturing (primarily Russia, Belarus, and Thailand) received a second-stage shellcode backdoor, and at least one victim — a Russian educational institution — received a sophisticated C++ implant named QUIC RAT. The attack joins a growing list of signed-software supply chain incidents in 2026, all exploiting the same cognitive trap: users trust what they download from official sources.

Background: What Is DAEMON Tools and Why Does It Matter?

DAEMON Tools has been a fixture of Windows power-user environments for over two decades. Its core function — mounting ISO, MDS, and other disk image formats as virtual drives — makes it indispensable in lab environments, enterprise software distribution pipelines, educational institutions, and, notably, in gaming and cracking communities where disk images circulate freely. Its free Lite tier alone has accumulated tens of millions of installations globally, with distribution channels that span the official daemon-tools.cc website, bundled toolkits, and mirrored software repositories.

That ubiquity is precisely what makes it a high-value supply chain target. An attacker who can inject malicious code into the DAEMON Tools installer gains a pre-authenticated entry point into any machine that downloads from the official site — no phishing, no exploit, no social engineering required. The user, having navigated to the real website, downloaded the real binary, and observed a valid digital signature prompt, has no reason to suspect compromise.

Timeline of the Compromise

| Date | Event |

|------|-------|

| March 27, 2026 | Attacker registers typosquat C2 domain env-check.daemontools[.]cc |

| April 8, 2026 | First trojanized DAEMON Tools installers (version 12.5.0.2421) appear on official site |

| April 8 – May 5 | Thousands of machines infected globally; ~12 targeted with second-stage payloads |

| Early May 2026 | Kaspersky GReAT researchers identify campaign in telemetry |

| May 5, 2026 | AVB Disc Soft notified; begins incident response |

| May 6, 2026 | Clean version 12.6.0.2445 released; old packages pulled from distribution |

| May 8, 2026 | Kaspersky publishes SIEM detection rules for the campaign |

The attacker pre-positioned their C2 infrastructure eleven days before the first compromised installer shipped — a clear indicator of planned, deliberate access to AVB Disc Soft's build or release pipeline, not an opportunistic package swap.

Technical Analysis

Stage 0: Trojanized Binaries with Valid Signatures

Three Windows executables inside the DAEMON Tools Lite installation directory were tampered with across versions 12.5.0.2421 through 12.5.0.2434:

DTHelper.exe — the primary helper process
DiscSoftBusServiceLite.exe — the bus service daemon (runs at startup)
DTShellHlp.exe — the shell integration helper

All three files retained their legitimate digital signatures from AVB Disc Soft. The attacker did not strip or forge signatures; they modified the binaries at a point in the build or release process where signing had not yet occurred, or they had access to the signing key itself. The former is more probable — the backdoor is injected into CRT initialization code, suggesting manipulation of source-level build artifacts or a post-compile injection step applied before the signing step in the pipeline.

Each modified binary runs a backdoor thread at startup via the CRT initialization hook. This is a deliberately low-visibility persistence mechanism: no registry autorun key, no scheduled task, no service modification. The implant lives entirely inside a signed binary that runs as part of normal application startup.

Stage 1: C2 Beacon and Initial Triage

At startup, the backdoor thread issues an HTTP GET request to:

https://env-check.daemontools[.]cc/2032716822411?s=<full_computer_name>

The domain is a careful typosquat of daemon-tools[.]cc (the legitimate download domain), designed to survive casual inspection of network logs. The parameter s transmits the infected machine's full hostname, giving the attacker immediate triage capability. This is not a spray-and-pray campaign — the C2 design reflects a threat actor who needed to identify high-value machines from a large pool before committing further resources.

When the attacker decides to act on a target, the C2 responds with a PowerShell command that downloads and executes a first-stage payload from 38.180.107[.]76.

Stage 2: Information Harvester (envchk.exe)

envchk.exe (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4) is a .NET executable that compiles an extensive system profile: MAC addresses, hostnames, running processes, installed software, system locale, and hardware fingerprints. Crucially, the source code contains strings written in Chinese — the first of several artifacts suggesting a Mandarin-speaking developer. The collected profile is exfiltrated back to the attacker's infrastructure and used to decide whether the host warrants a second-stage implant.

Of the thousands of machines that reached Stage 2, only approximately twelve were chosen for escalation.

Stage 3: Shellcode Loader + Minimalist Backdoor (cdg.exe / cdg.tmp)

The second-stage loader cdg.exe decrypts the contents of a companion file cdg.tmp using RC4 encryption and launches the decrypted shellcode directly in memory — no disk-resident executable, no file system footprint for the core payload. The shellcode establishes a minimalist backdoor capable of:

Downloading arbitrary files from the C2
Executing shell commands
Running shellcode payloads in memory

Kaspersky noted typos in the deployment commands — "chiper" for "cipher", "rypto.dll" for "crypto.dll" — suggesting the Stage 3 deployment was executed manually and hurriedly by a human operator, not automated scripting. This is consistent with a hands-on-keyboard intrusion phase after automated initial access.

The backdoor injects payloads into legitimate Windows processes: notepad.exe and conhost.exe. Both are perennially trusted by endpoint defenses and appear routinely in process telemetry.

Stage 4: QUIC RAT (Final Payload, Confirmed on One Victim)

The most sophisticated component observed was QUIC RAT, deployed on a single victim — a Russian educational institution. QUIC RAT is a heavily obfuscated C++ backdoor statically linked with WolfSSL (an embedded TLS library), making its network traffic structurally indistinguishable from legitimate HTTPS when viewed on the wire.

Its C2 transport is remarkably multi-protocol: HTTP, UDP, TCP, WSS (WebSocket Secure), QUIC, DNS, and HTTP/3. The ability to fall back across seven protocols means that egress filtering, proxy inspection, or partial port blocking is unlikely to cut the operator's connection — the RAT simply pivots to whatever channel remains open.

QUIC RAT supports process injection into notepad.exe and conhost.exe, in-memory payload execution, and persistent channel redundancy. Its use against a single educational institution suggests either high intelligence value attributed to that target, or that it is being operationally tested in a lower-risk environment before broader deployment.

Attribution: A Chinese-Nexus Actor Without a Desk Nameplate

Kaspersky has explicitly declined to attribute the campaign to a known threat group, but the Chinese-language strings in envchk.exe, combined with targeting patterns (government, science, manufacturing — sectors aligned with Chinese strategic intelligence collection priorities) and the clean, professional operational structure, place this firmly in the space of Chinese state-adjacent activity. The geographic focus of secondary-stage targeting on Russia, Belarus, and Thailand is notable: this is not a Western intelligence service, and the sectors targeted don't map to financially-motivated ransomware groups. The working hypothesis is a new or unnamed Chinese APT cluster conducting cyberespionage — possibly testing QUIC RAT as an emerging capability before wider deployment.

The 2026 Signed-Installer Epidemic: Context

The DAEMON Tools compromise is the fourth major signed-installer supply chain incident in 2026:

| Month | Target | Vector |

|-------|--------|--------|

| January | eScan Antivirus | Update server compromise |

| February | Notepad++ | Hijacked update mechanism |

| April | CPUID (CPU-Z/HWMonitor) | Build pipeline injection; STX RAT delivered |

| May | DAEMON Tools | Build/signing pipeline injection; QUIC RAT |

This pattern is not coincidental. Each of these software packages shares a common profile: they are widely installed on technical and power-user machines (developers, sysadmins, security researchers, IT staff), they carry digital trust from established vendors, and their update/distribution mechanisms are either infrequent or opaque to monitoring tools. An attacker who systematically targets utility software vendors is building a portfolio of trusted delivery mechanisms — each one a potential "golden ticket" into the machines of exactly the people who have the access and credentials worth stealing.

IOCs

| Type | Value |

|------|-------|

| Malicious Domain (C2) | env-check.daemontools[.]cc |

| C2 IP | 38.180.107[.]76 |

| File Hash (envchk.exe) | SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4 |

| Compromised Versions | DAEMON Tools Lite 12.5.0.2421 – 12.5.0.2434 |

| Affected Binaries | DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe |

| Injection Targets | notepad.exe, conhost.exe |

| Malware Family | QUIC RAT (C++ backdoor, WolfSSL, multi-protocol C2) |

| C2 Domain Reg. Date | March 27, 2026 |

Lyrie Take

This attack illustrates why digital signature verification is a necessary but deeply insufficient security control. A signed binary from an official site can be malicious — if the attacker controls the build pipeline, they sign the malware themselves. The security model that says "signed = trusted" was always a trust delegation to the software vendor; when the vendor's pipeline is compromised, that delegation fails catastrophically and silently.

The selective deployment pattern here is particularly concerning for detection-based defenses. With thousands of Stage 1 infections and only ~12 Stage 3 escalations, signature-based and behavior-based detection has an extremely small signal window. Most infected hosts will never show anomalous behavior — they simply send one beacon per startup to a domain that looks like the legitimate vendor. Only the handful of targets the operator deems valuable will ever see the hands-on intrusion phase where traditional behavioral detection might fire.

This is the architecture of a patient, intelligence-oriented campaign. The attacker is not trying to ransomware 10,000 machines. They are running a quiet supply chain net, waiting for the right fish.

Defender Playbook

Immediate (if DAEMON Tools is installed):

1. Check installed version. If DAEMON Tools Lite is version 12.5.0.2421–12.5.0.2434, treat the host as compromised.

2. Update immediately to version 12.6.0.2445 or later.

3. Block outbound connections to env-check.daemontools[.]cc and 38.180.107[.]76 at the network perimeter.

4. Hunt for the compromised binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe — check file hashes against clean versions.

5. Examine startup behavior and cmd.exe child processes spawned from these binaries.

6. Search for envchk.exe or cdg.exe under C:\Windows\Temp\.

7. Check for process injection into notepad.exe and conhost.exe via memory scanning.

Structural (supply chain hardening):

1. Implement software allowlisting at the binary hash level, not just vendor signature level.

2. Monitor DNS and TLS SNI for typosquat domains resembling your approved vendor list.

3. Deploy EDR with memory scanning enabled for process injection into LOLBins.

4. Treat any utility software (disk tools, monitoring tools, media players) as equal supply chain risk to developer tooling.

5. Add outbound egress monitoring for unusual GET requests containing machine hostname as a query parameter.

6. For high-value environments: air-gap or restrict utility software installation to controlled, air-gapped update processes.

7. Consider deploying Kaspersky KEDR or KATA detection rules published May 5–8, 2026 specifically targeting this campaign's network traffic patterns.

Detection Queries (conceptual):

DNS queries matching *.daemontools\.cc (not daemon-tools\.cc)
Child processes of DiscSoftBusServiceLite.exe spawning cmd.exe or powershell.exe
envchk.exe or cdg.exe file creation in C:\Windows\Temp\
Outbound GET requests with URI patterns matching /<10+ digit number>?s=<hostname>
Process injection events: notepad.exe or conhost.exe with unusual memory permissions

Sources

1. Kaspersky Securelist — "Popular DAEMON Tools software compromised" (May 5–8, 2026): https://securelist.com/tr/daemon-tools-backdoor/119654/

2. The Hacker News — "DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware": https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html

3. CybersecurityNews — "DAEMON Tools Software Hacked to Deliver Malware in a Supply Chain Attack": https://cybersecuritynews.com/daemon-tools-software-hacked/

4. SecurityWeek — "Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack": https://www.securityweek.com/government-scientific-entities-hit-via-daemon-tools-supply-chain-attack/

5. AVB Disc Soft Security Notice: https://blog.daemon-tools.cc/rus/post/security-incident

Lyrie.ai Cyber Research Division — Senior Analyst Desk