What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Supply-Chain

0 sources verified·9 min read

By Lyrie.ai Cyber Research Division — Senior Analyst Desk·5/11/2026

The Trusted Installer Trap: DAEMON Tools Supply Chain Attack Delivers QUIC RAT to Government, Manufacturing Targets

TL;DR: A month-long supply chain compromise of DAEMON Tools Lite (versions 12.5.0.2421–12.5.0.2434) served trojanized, legitimately signed installers from the official vendor website to thousands of victims in 100+ countries. A suspected Chinese-speaking threat actor selectively deployed a sophisticated multi-protocol RAT — dubbed QUIC RAT — to a curated shortlist of high-value government, manufacturing, and scientific targets in Russia, Belarus, and Thailand. Patch to v12.6.0.2445 immediately and sweep for the IOCs below.

Background

DAEMON Tools is one of the most widely deployed virtual drive and disk image mounting utilities on Windows. Published by Latvian developer AVB Disc Soft, the Lite edition is distributed as a free download from the official daemon-tools.cc domain and has been a fixture on both enterprise desktops and home systems for over two decades. Its broad install base, combined with its privileged role running as a startup service, makes it an exceptionally attractive trojanization target.

On May 6, 2026, Kaspersky's Global Research and Analysis Team (GReAT) publicly disclosed — after coordinating with AVB Disc Soft — that official DAEMON Tools Lite installers downloaded between April 8 and May 5, 2026 contained fully functional backdoors. The vendor shipped a clean remediation release (12.6.0.2445) the same day.

The disclosure caps a grim first half for software supply chain security in 2026. Kaspersky alone has investigated four high-profile installer compromises this year: eScan (January), Notepad++ (February), CPUID (April), and now DAEMON Tools (May). The pattern is now impossible to dismiss as coincidence — a threat actor, or actors, have methodically industrialized the compromise of popular Windows utilities.

Technical Analysis

Stage 0 — Pre-Positioning: Domain Registration

The attackers registered the C2 domain env-check.daemontools[.]cc on March 27, 2026 — eleven days before the first trojanized installer appeared in the wild. The domain is a deliberate typosquat of daemon-tools.cc, the legitimate product distribution domain. This pre-positioning indicates operational planning: the attacker secured infrastructure, confirmed it would pass cursory visual inspection, and only then introduced the malicious build into the software pipeline.

Stage 1 — Build Pipeline Compromise

Exactly how AVB Disc Soft's build or distribution pipeline was breached has not been publicly confirmed as of this writing. The vendor acknowledged the incident was limited to DAEMON Tools Lite (free version) and has stated it isolated affected systems, audited the build pipeline, and rebuilt/re-signed all distribution packages. The absence of an official root-cause statement suggests the investigation is ongoing.

What we do know from Kaspersky's binary analysis is that the trojanization was surgical. Three binaries inside the standard installation directory — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — were modified in their CRT startup initialization code. The malicious thread is injected into the CRT initialization path that runs before the application's main() entry point, meaning the backdoor activates before any application-level defensive logic would have an opportunity to run, and runs in parallel with legitimate program functionality. Crucially, all three modified binaries retained valid digital signatures from AVB Disc Soft's code signing certificate, providing blanket bypass of Authenticode-based trust controls on Windows.

Stage 2 — Beacon and Victim Triage

Every time any of the three trojanized binaries launches — including during routine system startup, since DiscSoftBusServiceLite.exe runs as a service — the implant fires an HTTP GET request to:

https://env-check.daemontools[.]cc/2032716822411?s=<FULL_COMPUTER_NAME>

The server returns a shell command to be executed via cmd.exe. In the vast majority of observed deployments, this command downloads a .NET information collector named envchk.exe (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4).

The collector harvests:

MAC address (first non-zero)
Hostname
DNS domain name
Running process list
Installed software list
System locale

This data is POST'd to a hardcoded C2 endpoint at 38.180.107[.]76 in the format a=<mac>&b=<hostname>&c=<dns>&d=<procs>&e=<software>&f=<locale>. The collector's source code contains Chinese-language strings, the principal attribution indicator cited by Kaspersky GReAT — though researchers stop short of formally attributing the campaign to a named actor.

The triage architecture is deliberate: rather than deploying heavy second-stage malware to all thousands of infected hosts (and risking rapid detection), the operator reviews the harvested metadata and manually selects targets for further access. Kaspersky estimates that out of thousands of infection attempts across 100+ countries, only approximately a dozen hosts received Stage 3 payloads.

Stage 3 — Minimalistic Backdoor (cdg.exe / cdg.tmp)

Selected targets received a shellcode loader, cdg.exe, which decrypts the contents of a companion file cdg.tmp and executes an in-memory minimalistic backdoor. This implant contacts a remote server to:

Download arbitrary files
Execute shell commands
Run shellcode payloads in memory

Kaspersky notes that in one observed deployment, the backdoor launch command contained a misspelling — a telltale sign of hands-on keyboard activity: a human operator was manually typing commands rather than using an automated framework. This is consistent with highly targeted post-exploitation tradecraft and an operator who treats their tooling as bespoke, single-target instruments.

Stage 4 — QUIC RAT (Final Implant)

Against a single confirmed victim — an educational institution in Russia — the operator deployed the campaign's most sophisticated payload: QUIC RAT, a C++ remote access trojan supporting an unusually broad range of C2 communication protocols:

HTTP / HTTPS
UDP
TCP
WSS (WebSockets over TLS)
QUIC (HTTP/3 transport)
DNS
HTTP/3

This protocol diversity is architecturally significant. QUIC, in particular, rides UDP port 443 and is increasingly permitted through enterprise firewalls because it underpins modern HTTPS traffic. A RAT that can tunnel over QUIC can bypass inspection engines that only parse TCP-based HTTPS flows. Supporting DNS-based C2 provides an additional fallback for environments with aggressive egress filtering.

QUIC RAT also performs process injection into notepad.exe and conhost.exe — two processes present on virtually every Windows system and rarely flagged by behavioral detections — providing execution stealth at both the process level and the network level simultaneously.

Pattern Recognition: The 2026 Installer Compromise Wave

The DAEMON Tools attack does not exist in isolation. It is the fourth in a documented 2026 series:

| Month | Target | Technique |

|-------|--------|-----------|

| January | eScan antivirus | Update server compromise |

| February | Notepad++ | Hijacked update mechanism |

| April | CPUID (CPU-Z/HWMonitor) | Build poisoning → STX RAT |

| May | DAEMON Tools Lite | Build poisoning → QUIC RAT |

The selection criteria are consistent: high-trust utilities with large install bases, especially on enterprise and developer systems, with privileged startup execution. eScan runs as an AV engine (maximum trust, maximum EDR bypass). CPUID is installed by IT staff for diagnostics. DAEMON Tools runs as a system service. Notepad++ is ubiquitous on developer machines. An attacker who controls any of these gets a signed, trusted initial foothold on tens of thousands of machines simultaneously.

Whether the same actor is behind all four compromises is unknown. What is known is that the attack surface — the software build pipeline of popular utilities — has become a high-value target category, and the ecosystem of defenders who focus exclusively on runtime behavioral detection is systematically blind to this vector until infection has already occurred.

Indicators of Compromise (IOCs)

Malicious Domain:

env-check.daemontools[.]cc (registered 2026-03-27)

Malicious IP:

38.180.107[.]76 (C2 server — information collector callback)

Trojanized Binary Hashes (affected versions 12.5.0.2421–12.5.0.2434):

DTHelper.exe — maliciously modified (verify against vendor)
DiscSoftBusServiceLite.exe — maliciously modified
DTShellHlp.exe — maliciously modified

Payload Hashes:

envchk.exe SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4

Malicious Download Path:

http://38.180.107[.]76/env_check_script → envchk.exe

Drop Paths:

C:\Windows\Temp\envchk.exe
%TEMP%\<random>.exe (minimalistic backdoor loader pattern)

Process Injection Targets:

notepad.exe
conhost.exe

Registry / Startup Behavior:

Modified CRT init code in DAEMON Tools Lite binaries — backdoor activates at every binary launch, including system startup

Lyrie Take

This attack is a masterclass in leveraging institutional trust as a weaponizable attack surface. The threat actor did not need to defeat endpoint detection, bypass firewalls, or phish a single user. They compromised the build pipeline of a trusted vendor, let the vendor's own code signing certificate launder the malware, and relied on millions of users' trained instinct to "update to the latest version" as the delivery mechanism.

Three observations for defenders:

1. Code signing is not integrity verification. A valid Authenticode signature proves the binary came from a specific publisher's key — it says nothing about whether that publisher's build process was clean. Organizations that whitelist executables solely by signature are one compromised CA or one breached build server away from mass infection. Hash-pinning of trusted third-party binaries, or at minimum behavioral monitoring of what those binaries do at startup, is not optional in 2026.

2. The triage architecture is the threat multiplier. The genius of the DAEMON Tools operation — and the eScan/CPUID operations before it — is the reconnaissance-then-select model. By deploying a lightweight info-collector to thousands of hosts and escalating only to dozens, the attacker maintains a low detection footprint while building a perfectly curated target list. This is no longer nation-state-exclusive tradecraft; it scales because the initial infector has near-zero marginal cost.

3. QUIC RAT represents a detection gap most organizations have today. If your network egress monitoring does not inspect or block UDP/443 QUIC sessions, and if your EDR does not flag notepad.exe making outbound UDP connections, QUIC RAT will operate silently in most environments. This is not a theoretical gap — it is a present, live one.

Defender Playbook

Immediate Actions:

1. Audit and update all DAEMON Tools Lite installations to version 12.6.0.2445 or later. Treat any installation on versions 12.5.0.2421–12.5.0.2434 as potentially compromised.

2. Block at DNS/proxy: env-check.daemontools[.]cc and IP 38.180.107[.]76.

3. Hunt for payload artifacts:

- C:\Windows\Temp\envchk.exe (or recently deleted)

- Any %TEMP%\*.exe spawned by DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe

- Injected threads in notepad.exe / conhost.exe originating from DAEMON Tools process lineage

4. Check process tree lineage: Any cmd.exe or powershell.exe spawned by the three affected DAEMON Tools binaries is a strong indicator of compromise.

Intermediate (1–2 weeks):

5. Inventory all software installed via third-party utility channels (DAEMON Tools, CPU-Z, HWMonitor, CPUID, Notepad++, similar utilities) and cross-reference against known-compromised version ranges from 2026 incidents.

6. Implement binary hash pinning for high-privilege startup executables, separate from code signing validation. Tools like Velociraptor or OSQuery can automate baseline hash collection.

7. Enable QUIC inspection or selective QUIC blocking (UDP/443) at the perimeter. Legitimate QUIC traffic can almost always fall back to TCP/443; the marginal user impact is negligible against the detection gain.

Strategic:

8. Adopt a supply chain risk tier for vendors. Software that runs at startup, installs as a service, or touches kernel interfaces deserves a higher scrutiny tier than ordinary userspace apps — regardless of vendor reputation. Update procedures should route through a staging environment with behavioral sandboxing before fleet deployment.

9. Demand SBOMs. The Software Bill of Materials requirement, while tedious, creates the paper trail that makes post-incident triage of exactly which build introduced malicious code tractable. Vendors who cannot produce an SBOM warrant lower trust tier placement.

10. Monitor outbound DNS and UDP/443 for hosts running any of the four 2026-compromised utilities. The info-collector's POST to a numeric IP is detectable with basic outbound firewall logging.