Hackers speaking Chinese slipped a backdoor into Daemon Tools, the long-trusted Windows utility for mounting disc images. Thousands of users worldwide downloaded tainted installers from the official site. Kaspersky spotted the breach first, on April 8. The attack persists.
Users grabbed versions from 12.5.0.2421 to 12.5.0.2434. Those files carried legitimate digital signatures from AVB Disc Soft, Daemon Tools’ developer. No red flags at first glance. Install DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe. They fire up at boot. A hidden thread pings https://env-check.daemontools[.]cc/2032716822411 with the machine’s full name. Typo in the domain—daemontools.cc instead of daemon-tools.cc. Sneaky.
The server might reply with a PowerShell command. It fetches malware from 38.180.107[.]76. One payload: envchk.exe. That .NET tool grabs MAC address, hostname, DNS domain, running processes, installed software, system locale. Posts it back. Chinese strings lurk in its code—hint of the attackers’ origin, per Kaspersky’s Securelist report.
Not every hit got the full treatment. Thousands of probes across 100-plus countries. Russia led, then Brazil, Turkey, Spain, Germany, France, Italy, China. But advanced payloads hit just a dozen machines. Retail outfits. Scientific labs. Manufacturers. Government offices in Russia, Belarus, Thailand. Selective. Calculated.
Deeper stages emerged. A shellcode loader called cdg.exe downloads cdg.tmp, decrypts with RC4. Spawns a basic backdoor for file grabs, shell runs, in-memory code. Then a slick QUIC RAT. C++ beast, control-flow flattened, WolfSSL baked in, msquic.dll tucked away. It chats over HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3. Injects into notepad.exe, conhost.exe. Stealthy persistence.
Disc Soft knows. “Our team is treating this matter with the highest priority and is actively working to assess and address the issue,” a representative told TechCrunch. “At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users.” No word on how hackers got in—build server? Update pipeline? Accounts compromised?
This fits a pattern. Back in February, Chinese government-linked hackers hijacked Notepad++ updates for months, per another TechCrunch report. Targeted East Asia interests. Echoes SolarWinds, but smaller scale. April brought CPUID’s site hijack. Malicious HWMonitor downloads for six hours, The Register detailed. Fake DLLs stole browser creds. Supply chains bleed.
And the backdoor inherits Daemon Tools’ elevated privileges. No UAC pop-up. Admin rights from the start. Users trust the green cert badge. Why wouldn’t they? Daemon Tools has shipped since 2004, millions of installs. But signed malware fools scanners sometimes. VirusTotal flagged the installer hash e22024a58de56b3655d6be7e3b21703325a57e0dd920bd9611588f5e33bb5132 eventually.
Kaspersky shared IOCs. Hashes like SHA-1 9ccd769624de98eeeb12714ff1707ec4f5bf196d for the first bad installer. Paths to temp files: envchk.exe, cdg.exe. C2 paths like /09505aca4f538bd. Detection rules out now. Their tools block it.
But questions linger. Attackers registered the fake domain March 27. Waited till April 8 to strike. Why Daemon Tools? Low-hanging fruit for broad reach, then pick targets. Businesses made up 10% of probes. Perfect for espionage.
Industry insiders see the cracks. Supply chain defenses lag. Code signing helps, but not enough. SBOMs? Rare in consumer apps. Runtime monitoring? Spotty. Developers must lock build pipelines, rotate keys, audit vendors. Users: scan installs, watch for odd network calls. Switch tools if unsure—ImgBurn, Virtual CloneDrive wait in wings.
So the breach drags on. Kaspersky notified Disc Soft weeks ago. No clean fix announced. Downloaders still pull from that IP. Check your systems. Run hashes. Assume compromise if you grabbed those versions post-April 8. Chinese hackers wait in the wings. Patient.


WebProNews is an iEntry Publication