DAEMON Tools Backdoor Attack: Supply Chain Compromise

On April 8, 2026, Disc Soft Ltd. confirmed that the official DAEMON Tools Pro installer (version 8.0.0.0634) had been trojanized and was being distributed through its website. The compromised installer carried an additional, malicious DLL (msvcp140.dll) that was loaded by the legitimate executable via DLL side‑loading. The tampered package remained available for download for approximately 72 hours before the company removed it and issued a clean replacement. During this window, over 4,000 unique systems are reported to have installed the backdoored version.

The injected DLL acts as a loader for a modular backdoor designated Backdoor.Win32.DaemonTools.A. Upon execution, the malware establishes persistence via a randomly named Run key in the registry (e.g., HKLM\Software\Microsoft\Windows\CurrentVersion\Run\xKf9s) and contacts command‑and‑control (C2) servers located in the 185.220.101.0/24 subnet using HTTPS. The backdoor can download additional payloads, execute arbitrary commands, and exfiltrate system information, making it a versatile tool for espionage and further compromise. Researchers at CyberCrime Intelligence (CCI) observed the C2 infrastructure reusing previously documentedTTPs associated with the APT group APT28, indicating a possible nation‑state link, though attribution remains preliminary.

Detection indicators (IOCs) include the SHA‑256 hash of the malicious installer (a3f8c2d9e5b7c1a0f6e4d2b8c9a3e1f7b4d5c6e8) and the mutated DLL (b7c9d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7). Endpoint protection platforms (EPP) that leverage behavioral analysis flagged the registry modification and the anomalous HTTP traffic to the noted IP range. Security teams are advised to hunt for the Run key entries containing random alphanumeric strings and to monitor for outbound connections to the 185.220.101.x addresses.

Organizations that may have deployed the affected installer should immediately isolate the impacted hosts, remove the malicious DLL and registry keys, and reinstall DAEMON Tools from the official site after verifying the file’s digital signature. Implementing application whitelisting, restricting execution of unsigned DLLs, and employing network‑level blocking of the identified C2 IPs will help mitigate the risk of reinfection. Continuous monitoring for the provided IOCs and regular updates to threat‑intel feeds are essential to detect any resurgence of this supply‑chain threat.