DAEMON Tools Lite supply chain — QUIC RAT, EU governments targeted

Official DAEMON Tools Lite Windows installers (versions 12.5.0.2421 → 12.5.0.2434) were trojanised on the Disc Soft vendor distribution server from 8 April to 5 May 2026, with malicious installers maintaining the authentic AVB Disc Soft code-signing certificate. The campaign deployed three stages: a .NET information collector (envchk.exe) for host fingerprinting deployed broadly across more than 100 countries (Germany, France, Spain, and Italy appear explicitly in first-stage victim telemetry); a shellcode-based backdoor; and QUIC RAT — a C++ implant supporting HTTP / UDP / TCP / WebSocket / QUIC / HTTP/3 C2 channels — selectively deployed to approximately twelve targets in government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand per Kaspersky. Chinese-language strings in the information collector suggest a Chinese-speaking actor; no formal attribution to a named group. The C2 domain was registered 2026-03-27 — approximately two weeks before the first trojanised installer (2026-04-08) — confirming pre-planned operation. Disc Soft acknowledged 2026-05-05, released clean version 12.6.0.2445, resolved the distribution compromise within 12 hours (Kaspersky Securelist · The Record, 2026-05-06 · BleepingComputer, 2026-05-06 · Help Net Security, 2026-05-06 · daily 2026-05-07 and 2026-05-09 UPDATE). Defender takeaway: audit endpoints for DAEMON Tools Lite versions 12.5.0.2421 – 12.5.0.2434 installed on any government, scientific, or manufacturing endpoint since 8 April 2026; hunt for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound UDP 443 (QUIC) to non-sanctioned destinations; Sysmon EID 1 with parent-image filters surfaces post-injection activity. The pattern — selective QUIC-channel deployment behind broad-targeting reconnaissance staging — is the operationally important detail; it explains why telemetry hit-rate alone underestimates targeted-actor presence.

Since 8 April 2026, trojanised versions of DAEMON Tools Lite (12.5.0.2421 through 12.5.0.2434) have been distributed from the legitimate vendor website, signed with valid AVB Disc Soft digital certificates. Kaspersky researchers documented a three-stage architecture: an initial profiling component (envchk.exe) fingerprinting the system; a minimalistic backdoor enabling remote command execution on selected targets; and QUIC RAT, an advanced implant that injects into notepad.exe and conhost.exe, supports C2 over QUIC (evading proxy inspection), and implements shell execution, file management, process injection, keylogging, SOCKS proxy, and TCP tunnelling (Kaspersky Securelist, 2026-05-05 updated 2026-05-08 · Help Net Security, 2026-05-06). Several thousand installation attempts were observed across ~100 countries; Germany, France, Spain, and Italy are among the top victim countries. Targeted QUIC RAT deployment was limited to approximately a dozen machines in government, scientific, manufacturing, and retail sectors — indicating selective activation consistent with intelligence-collection objectives. Artefacts including Chinese-language strings suggest a Chinese-speaking actor; no formal attribution has been made. The clean release is version 12.6.0.2445 (released 2026-05-06).

MITRE ATT&CK coverage: T1195.002 Supply Chain Compromise; T1036.004 Masquerade Task or Service (kworker/ksoftirqd masquerade); T1573.002 Asymmetric Cryptography / QUIC; T1055 Process Injection.

Defender takeaway: Audit endpoints for DAEMON Tools Lite versions 12.5.0.2421–12.5.0.2434; check for envchk.exe, unsigned processes injected into notepad.exe or conhost.exe, and outbound QUIC (UDP 443) to non-sanctioned destinations. Sysmon EID 1 with parent-process image path filters for notepad.exe or conhost.exe spawning child processes will surface post-injection activity. Update to 12.6.0.2445.