QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
Summary
Hide ▲
Show ▼
A follow-on QUIC RAT payload was delivered through compromised DAEMON Tools installers, extending the supply-chain intrusion into remote access on a small subset of infected hosts. The payload reached only a dozen hosts, making the selective deployment operationally significant despite broader infection attempts.
Related Happenings
Showboat Linux post-exploitation backdoor framework
Malware Activity
First: 21.05.2026 17:17
Last: 21.05.2026 17:17
Sources 1
About this happening:
The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Showboat Linux post-exploitation backdoor framework
Malware ActivityAbout this happening: The **Showboat** Linux malware has been identified as a **modular post-exploitation framework** used since **at least mid-2022**, raising the risk of persistent access on compromi...
Daemon Tools Lite trojanized installer campaign
Campaign
First: 07.05.2026 12:30
Last: 07.05.2026 12:30
Sources 1
How related:
“Starting from early April, we observed several thousands of infection attempts involving Daemon Tools in our telemetry, with individuals and organizations in more than 100 countries being affected,” the cybersecurity firm explained.
About this happening:
A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
Daemon Tools Lite trojanized installer campaign
CampaignHow related: “Starting from early April, we observed several thousands of infection attempts involving Daemon Tools in our telemetry, with individuals and organizations in more than 100 countries being affected,” the cybersecurity firm explained.
About this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
DAEMON Tools Lite trojanized installer wave
Exploitation Wave
First: 06.05.2026 19:43
Last: 06.05.2026 19:43
Sources 1
How related:
As cybersecurity company Kaspersky revealed on Tuesday, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8.
About this happening:
Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools Lite trojanized installer wave
Exploitation WaveHow related: As cybersecurity company Kaspersky revealed on Tuesday, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8.
About this happening: Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
AVB Disc Soft hit by network compromise
Incident
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
How related:
Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.
About this happening:
**DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
AVB Disc Soft hit by network compromise
IncidentHow related: Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.
About this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
Latest development: 07.05.2026 12:30
Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.
Timeline
-
07.05.2026 12:30 1 articles · 20d ago
Disc Soft releases malware-free Daemon Tools Lite 12.6
Mitigation Patch UpdateDisc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
Show sources
- Daemon Tools Developer Confirms Software Was Trojanized — www.infosecurity-magazine.com — 07.05.2026 12:30
-
05.05.2026 19:07 1 articles · 22d ago
env-check.daemontools[.]cc registered
Campaign Scope UpdateThe malicious infrastructure domain env-check.daemontools[.]cc was registered and later used by the implant to issue HTTP GET requests that retrieved shell commands for compromised DAEMON Tools hosts.
Show sources
- DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware — thehackernews.com — 05.05.2026 19:07
-
05.05.2026 19:07 1 articles · 22d ago
DAEMON Tools installers trojanized
Exploitation ObservedOfficial DAEMON Tools installers distributed from the vendor's legitimate website were trojanized starting April 8, 2026, with compromised builds 12.5.0.2421 through 12.5.0.2434 tampered to launch DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe as malware entry points.
Show sources
- DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware — thehackernews.com — 05.05.2026 19:07
-
05.05.2026 19:07 1 articles · 22d ago
Kaspersky discloses QUIC RAT delivery
Initial DisclosureKaspersky said the compromised installer chain sent shell commands that downloaded envchk.exe, cdg.exe, and cdg.tmp, and that one of the follow-on payloads was the QUIC RAT remote access trojan delivered to a small subset of infected hosts while telemetry showed several thousand infection attempts across more than 100 countries.
Show sources
- DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware — thehackernews.com — 05.05.2026 19:07