DAEMON Tools: Signed Installers Distributed a Backdoor

Colleagues, note: a supply-chain attack against DAEMON Tools has been discovered. Kaspersky reported that from 8 April legitimate signed installers on the official site were trojanized: DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe were replaced; they contact env-check.daemontools[.]cc and fetch envchk.exe and cdg.exe/cdg.tmp, which deploy a shellcode loader and a QUIC RAT. Telemetry shows thousands of attempts across 100+ countries, while the second-stage payload reached only about a dozen hosts in retail, research, government and manufacturing. I recommend isolating machines with Daemon Tools and conducting a deep hunt and cleanup. Why this matters: a signed installer can bypass endpoint defenses and materially increase lateral-movement risk. What actions have you taken? #cybersecurity #supplychain #endpointsecurity


Latest comments
No comments yet.