Back to Intelligence

DAEMON Tools Supply Chain Attack: Detection and Remediation for Trojanized Installers

SA
Security Arsenal Team
May 5, 2026
6 min read

A sophisticated supply chain attack has been identified targeting users of DAEMON Tools, a popular disk imaging and virtual drive application. According to research from Kaspersky (Igor Kuznetsov, Georgy Kucherin, Leonid), the official installers distributed via the vendor's legitimate website have been compromised to include malicious code.

The critical danger lies in the validity of the digital signatures. These trojanized installers are signed with certificates belonging to the DAEMON Tools developers, allowing them to bypass many standard trust validations and security controls that rely solely on certificate reputation. This is not a vulnerability in the disk imaging software itself, but a complete poisoning of the distribution channel. Defenders must act immediately to identify potential installations of these malicious binaries and contain the threat before the payload executes further stages, such as data exfiltration or ransomware deployment.

Technical Analysis

  • Affected Products: DAEMON Tools (Lite, Pro, Ultra, and other commercial variants)
  • Affected Platforms: Microsoft Windows
  • Attack Vector: Supply Chain Compromise (Trojanized Installer)
  • CVE Identifiers: N/A (This is a malicious software distribution event, not an exploitable software vulnerability in the application logic).
  • Mechanism: Attackers compromised the vendor's build or distribution infrastructure, injecting malicious code into the official installer packages (setup.exe or similar binaries).
  • Exploitation Status: Confirmed Active Exploitation. The malicious installers are currently being served from the official vendor domains.
  • Trust Abuse: The malware is signed with legitimate DAEMON Tools certificates, creating a significant challenge for EDR solutions that rely solely on whitelisting signed binaries without analyzing behavioral heuristics.

Detection & Response

Detecting this threat requires moving beyond simple signature checks. While the binary is signed, the behavior of the trojanized installer—specifically the post-installation execution of suspicious payloads or network connections—provides the high-fidelity telemetry needed for detection.

Below are detection rules and hunts designed to identify the execution chain associated with the trojanized installer and its subsequent malicious activity.

SIGMA Rules

YAML
---
title: DAEMON Tools Installer Spawning Suspicious Shell
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects DAEMON Tools installers spawning command shells or PowerShell immediately after execution, indicative of malicious payload execution.
references:
  - https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.001
  - attack.t1059.003
  - attack.initial_access
  - attack.t1195.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\DAEMONTools.exe'
      - '\DTLite.exe'
      - '\setup.exe'
    ParentCommandLine|contains:
      - 'DAEMON Tools'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate administrative script execution by the software (rare)
level: high
---
title: Suspicious Network Connection from DAEMON Tools Installer
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the DAEMON Tools installer process initiating network connections to non-standard ports or IPs, typical for C2 beacons.
references:
  - https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1071
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\DAEMONTools.exe'
      - '\DTLite.exe'
      - '\setup.exe'
    DestinationPort|not:
      - 80
      - 443
      - 8080
  condition: selection
falsepositives:
  - Legitimate update checks to vendor domains on standard ports
level: high

KQL (Microsoft Sentinel / Defender)

This hunt queries for process creation events where the parent process is a DAEMON Tools installer, but the child process is a scripting engine, a common technique in supply chain attacks to drop the second-stage payload.

KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("DAEMONTools.exe", "DTLite.exe", "setup.exe") 
| extend InitiatingProcessCommandLine = tostring(InitiatingProcessCommandLine)
| where InitiatingProcessCommandLine contains "DAEMON"
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

Velociraptor VQL

This Velociraptor artifact hunts for the specific presence of the installer files on disk and checks their creation timestamps against the known compromise window. It also cross-references the signed status.

VQL — Velociraptor
-- Hunt for DAEMON Tools installer files created recently
SELECT FullPath, Size, Mtime, Atime,
       hash(path=FullPath) AS Hash
FROM glob(globs="C:\Users\*\Downloads\*.exe", root=string("/"))
WHERE FullPath =~ "(?i)(daemon|dtools).*setup.*\.exe"
  AND Mtime > now() - 30d
-- Optionally check if the file is signed but suspicious

Remediation Script (PowerShell)

This script can be deployed via Endpoint Management (SCCM/Intune) to identify the presence of the compromised installer files in common download locations and quarantine/remove them. Note: This is a temporary containment measure pending full vendor guidance.

PowerShell
<#
.SYNOPSIS
    Detect and remove potentially compromised DAEMON Tools installers.
.DESCRIPTION
    Scans user download directories for DAEMON Tools installers created within the last 30 days
    and logs findings for remediation.
#>

$LogPath = "C:\Windows\Temp\DAEMON_Tools_Re mediation.log"
$DaysToLookBack = 30
$CutoffDate = (Get-Date).AddDays(-$DaysToLookBack)

Function Write-Log {
    param ([string]$message)
    Add-Content -Path $LogPath -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') - $message"
}

Write-Log "Starting scan for DAEMON Tools installers."

$UserProfiles = Get-ChildItem "C:\Users" -Directory

foreach ($Profile in $UserProfiles) {
    $DownloadPath = Join-Path $Profile.FullName "Downloads"
    
    if (Test-Path $DownloadPath) {
        Write-Log "Scanning directory: $DownloadPath"
        
        # Look for executables matching common DAEMON Tools installer names
        $SuspiciousFiles = Get-ChildItem -Path $DownloadPath -Filter "*.exe" -File | 
                           Where-Object { $_.Name -match "(?i)daemon|dtools|setup" -and $_.CreationTime -gt $CutoffDate }
        
        foreach ($File in $SuspiciousFiles) {
            Write-Log "Potentially compromised installer found: $($File.FullName)"
            
            # Verify Authenticode signature status
            $Signature = Get-AuthenticodeSignature -FilePath $File.FullName
            
            if ($Signature.Status -eq 'Valid') {
                Write-Log "WARNING: File is signed by $($Signature.SignerCertificate.Subject). Malware is using valid certs."
            }
            
            # Quarantine/Remove action (Uncomment to enforce)
            # Remove-Item -Path $File.FullName -Force -ErrorAction SilentlyContinue
            # Write-Log "Removed file: $($File.FullName)"
        }
    }
}

Write-Log "Scan complete."

Remediation

  1. Immediate Action: Instruct users to halt all installations of DAEMON Tools immediately. If an installation is in progress, kill the process and disconnect the machine from the network.
  2. Identify Compromised Hosts: Review EDR and SIEM logs using the queries provided above. Focus on systems where DAEMON Tools was installed or updated in the last 30 days.
  3. Verify Hashes: Compare the hashes of the downloaded installers (SHA-256) against the official list provided by DAEMON Tools security advisory (expected soon) or Kaspersky’s report. If a hash is missing from the vendor's "known good" list, treat the host as compromised.
  4. Isolation: Isolate any endpoints where the trojanized installer was executed. Do not rely on the binary's digital signature status as a proxy for safety.
  5. Image Reimaging: Due to the nature of supply chain attacks involving valid signatures, full disk imaging and re-imaging is the safest remediation path for affected endpoints, followed by restoration from clean backups.
  6. Vendor Communication: Monitor the official DAEMON Tools website for a clean installer release. Verify the integrity of any new download via multiple sources before allowing internal deployment.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirdaemon-toolssupply-chain-attackmalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action