CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Trojanized DAEMON Tools installers deliver multi-stage backdoor via signed software supply chain compromise

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

DAEMON Tools installers distributed from the official website and digitally signed with legitimate developer certificates have been trojanized to deliver a multi-stage malware payload since April 8, 2026. The attack compromises three binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—which activate an implant on launch to send HTTP requests to a command-and-control (C2) domain registered on March 27, 2026. The implant executes shell commands via cmd.exe to download and run further payloads, including a .NET reconnaissance tool (envchk.exe), a shellcode loader (cdg.exe), and a minimal backdoor capable of file exfiltration, command execution, and in-memory shellcode execution. The campaign shows targeted delivery, with only a small subset of infected hosts receiving the second-stage payload, and has been ongoing since its discovery. The first-stage malware acts as an information stealer that collects system data, including hostname, MAC address, running processes, installed software, and system locale, to profile victims. A remote access trojan named QUIC RAT was deployed against a single educational institution in Russia. The backdoor supports multiple C2 protocols and process injection techniques, and evidence suggests the activity is attributed to a Chinese-speaking adversary.

Timeline

  1. 05.05.2026 19:07 2 articles · 10h ago

    DAEMON Tools signed installers trojanized to deliver multi-stage backdoor and QUIC RAT since April 8, 2026

    The compromised versions span DAEMON Tools 12.5.0.2421 to 12.5.0.2434, affecting DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The implant contacts env-check.daemontools[.]cc (registered March 27, 2026) to receive commands executed via cmd.exe, leading to the download and execution of envchk.exe, cdg.exe, and a minimal backdoor. The backdoor supports multiple C2 protocols and process injection techniques, and delivered the QUIC RAT payload to a single educational institution in Russia. The campaign showed targeted delivery with only a small subset of infected hosts receiving follow-on malware. This article adds that the first-stage malware is a basic information stealer collecting system data such as hostname, MAC address, running processes, installed software, and system locale for victim profiling. It also confirms the attack is ongoing as of May 5, 2026, and notes the compromise evaded detection for almost one month. Additionally, strings in the first-stage payload suggest the attacker is Chinese speaking.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Self-propagating North Korean job-scam malware spreads via compromised developer projects in software supply chain

A North Korean state-aligned actor has transformed fake job recruitment scams into a self-propagating supply-chain attack dubbed "Contagious Interview" that infects developer workstations and propagates via compromised repositories. Void Dokkaebi (aka Famous Chollima) abuses legitimate development workflows by luring developers with fake interviews, then delivering malware via malicious VS Code tasks or hidden payloads in fonts/images. Once committed to Git repositories, the infection spreads to downstream contributors, creating a worm-like chain reaction. Developers’ credentials, crypto wallets, CI/CD pipelines, and production infrastructure are primary targets. Newly identified activity connected to the same actor’s PromptMink campaign targets cryptocurrency developers via malicious npm packages, including @validate-sdk/v2, co-authored by an AI coding assistant. The layered package strategy uses legitimate-looking tools to hide malicious payloads, with payloads evolving from credential theft to broader data exfiltration, persistence mechanisms, and cross-platform binaries. Over 60 packages and 300+ versions have been identified across seven months, with evidence of LLM integration in malware development.

Open in new tab

Supply chain compromise in Trivy scanner triggers CanisterWorm propagation across CI/CD pipelines

Supply chain compromise in the Trivy vulnerability scanner triggered the CanisterWorm propagation across CI/CD pipelines, now expanding to additional open-source ecosystems and involving multiple advanced threat actors. The TeamPCP threat group continues to monetize stolen supply chain secrets through partnerships with extortion groups including Lapsus$ and the Vect ransomware operation, with Wiz (Google Cloud) and Cisco confirming collaboration and horizontal movement across cloud environments. A new npm supply chain malware campaign discovered on April 24, 2026, shows self-propagating worm-like behavior via @automagik/genie and pgserve packages, stealing credentials and spreading across developer ecosystems while using Internet Computer Protocol (ICP) canisters for command and control. The malware shares technical similarities with prior TeamPCP campaigns, including post-install scripts and canister-based infrastructure, potentially indicating ongoing evolution of the threat actor's tactics or a new campaign leveraging established infrastructure. The Axios NPM package compromise via malicious versions 0.27.5 and 0.28.0 delivered a multi-platform RAT through a malicious dependency impersonating crypto-js, with attribution disputes suggesting either TeamPCP involvement or North Korean actor UNC1069 (Google's Threat Intelligence Group). Cisco's internal development environment was breached using stolen Trivy-linked credentials via a malicious GitHub Action, resulting in the theft of over 300 repositories including proprietary AI product code and customer data from banks, BPOs, and US government agencies. Multiple AWS keys were abused across a subset of Cisco's cloud accounts, with multiple threat actors participating in the breach.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

GlassWorm has escalated into a multi-stage framework combining remote access trojans (RATs), data theft, and hardware wallet phishing, now leveraging Solana dead drops for C2, a novel browser extension for surveillance, and the Model Context Protocol (MCP) ecosystem. The campaign delivers a .NET binary targeting Ledger and Trezor devices by masquerading as configuration errors and prompting users to input recovery phrases, while a Websocket-based JavaScript RAT exfiltrates browser data and deploys HVNC or SOCKS proxy modules. The malware uses a Google Chrome extension disguised as Google Docs Offline for session surveillance on cryptocurrency platforms like Bybit and harvests extensive browser data. Recent innovations include a Zig-compiled dropper embedded within an Open VSX extension named 'specstudio.code-wakatime-activity-tracker' masquerading as WakaTime, which installs platform-specific Node.js native addons compiled from Zig code to stealthily infect all IDEs on a developer's machine. This dropper downloads a malicious VS Code extension (.VSIX) named 'floktokbok.autoimport' from an attacker-controlled GitHub account, which impersonates a legitimate extension with over 5 million installs and installs silently across all detected IDEs, avoiding execution on Russian systems and communicating with the Solana blockchain for C2. A new large-scale social engineering campaign has emerged, distributing fake VS Code security alerts posted in GitHub Discussions to automate posts across thousands of repositories using low-activity accounts, triggering GitHub email notifications with fake vulnerability advisories containing realistic CVE references. Links redirect victims through a cookie-driven chain to drnatashachinn[.]com, where a JavaScript reconnaissance payload profiles targets before delivering additional malicious payloads. This operation represents a coordinated, large-scale effort targeting developers. GlassWorm remains a persistent supply chain threat impacting npm, PyPI, GitHub, and Open VSX ecosystems. Since its emergence in October 2025, the campaign has evolved from invisible Unicode steganography in VS Code extensions to a sophisticated multi-vector operation spanning 151 compromised GitHub repositories and dozens of malicious npm packages. The threat actor, assessed to be Russian-speaking, continues to avoid infecting Russian-locale systems and leverages Solana blockchain transactions as dead drops for C2 resolution. Recent developments include the ForceMemo offshoot that force-pushes malicious code into Python repositories, the abuse of extensionPack and extensionDependencies for transitive malware delivery, and the introduction of Rust-based implants targeting developer toolchains. Eclipse Foundation and Open VSX have implemented security measures such as token revocation and automated scanning, but the threat actors have repeatedly adapted by rotating infrastructure, obfuscating payloads, and expanding into new ecosystems like MCP servers. A new wave of the GlassWorm campaign targets the OpenVSX ecosystem with 73 "sleeper" extensions that activate after updates, delivering malware to developers. Six extensions have already been activated, while the remainder remain dormant or suspicious. The campaign leverages thin loaders that fetch secondary VSIX packages or platform-specific modules at runtime, marking a shift in the group's tactics to evade detection by avoiding direct malware embedding in initial uploads. The extensions mimic legitimate listings using identical icons and near-identical names to deceive developers. Developers who installed these extensions are advised to rotate all secrets and perform a full system clean-up.

Open in new tab

Supply Chain Attack Targets npm Packages with Over 2.6 Billion Weekly Downloads

A supply chain attack involving multiple npm packages with over 2.6 billion weekly downloads has been discovered. The attack, which began in April 2025, involved the injection of malicious code into npm packages after compromising a maintainer's account via a phishing attack. The malicious code targets cryptocurrency wallets, including Atomic and Exodus, and redirects transactions to addresses controlled by threat actors. The attack has now expanded to include additional maintainers and packages, further broadening its impact. The malicious packages were removed within two hours of the attack, and the injected code targeted browser environments, hooking Ethereum and Solana signing requests. The attack was discovered and mitigated quickly, preventing more severe security incidents. The attack follows a series of similar incidents targeting JavaScript libraries, emphasizing the ongoing threat to the npm ecosystem and the broader supply chain. The compromised packages include popular ones such as ansi-regex, ansi-styles, chalk, debug, and others, collectively attracting over 2 billion weekly downloads. The malicious code operates by intercepting network traffic and application APIs, targeting various cryptocurrencies including Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash. At least 18 popular JavaScript code packages were compromised, collectively downloaded more than two billion times each week. The attack was narrowly focused on stealing cryptocurrency but highlights the potential for more disruptive malware outbreaks. The incident underscores the vulnerability of widely-used code maintained by a small number of developers and the need for stronger authentication measures.

Open in new tab

EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

The Russian threat actor EncryptHub is exploiting the MSC EvilTwin vulnerability (CVE-2025-26633) to deliver the Fickle Stealer malware. This campaign combines social engineering with technical exploitation to bypass security defenses. The group uses fake IT department requests and rogue Microsoft Console (MSC) files to trigger the infection routine. The malware collects system information, establishes persistence, and communicates with the EncryptHub command-and-control (C2) server. The threat actor has been active since mid-2024 and is known for using various methods, including fake job offers and compromised Steam games, to infect targets. The latest attack sequence involves using PowerShell commands and a Go-based loader called SilentCrystal to deploy the malware. The group also abuses the Brave Support platform to host next-stage malware and uses phony videoconferencing platforms to deceive victims into downloading malicious installers.

Open in new tab