TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GBHackers

Hackers Abuse DAEMON Tools Distribution Channel to Deliver Malicious Payloads

Divya · 1 day ago · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
98%
“march 27, roughly a week before the supply chain attack began. in response to the get requests, the command - and - control ( c2 ) server can return a shell command to be executed via the cmd. exe process. security researchers from securelist observed attackers using powershell c…”
T1543.004Launch Daemon
95%
“infected daemon tools lite installers 9ccd769624de98eeeb12714ff1707ec4f5bf196d ( 12. 5. 0. 2421 ) 50d47adb6dd45215c7cb4c68bae28b129ca09645 ( 12. 5. 0. 2422 ) 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 ( 12. 5. 0. 2423 ) 28b72576d67ae21d9587d782942628ea46dcc870 ( 12. 5. 0. 2424 ) 46…”
T1195.002Compromise Software Supply Chain
89%
“hackers abuse daemon tools distribution channel to deliver malicious payloads a sophisticated supply - chain attack has compromised the official distribution channel for daemon tools, delivering multi - stage malware to users worldwide. since april 8, 2026, threat actors have dis…”
T1071.001Web Protocols
86%
“command - and - control servers to execute arbitrary shell commands. manual misspellings found in the deployment scripts ( such as typing “ chiper ” instead of “ cipher ” ) strongly indicate live, hands - on - keyboard activity by the hackers. - quic rat : the most advanced stage…”
T1055.001Dynamic-link Library Injection
78%
“command - and - control servers to execute arbitrary shell commands. manual misspellings found in the deployment scripts ( such as typing “ chiper ” instead of “ cipher ” ) strongly indicate live, hands - on - keyboard activity by the hackers. - quic rat : the most advanced stage…”
T1071Application Layer Protocol
57%
“command - and - control servers to execute arbitrary shell commands. manual misspellings found in the deployment scripts ( such as typing “ chiper ” instead of “ cipher ” ) strongly indicate live, hands - on - keyboard activity by the hackers. - quic rat : the most advanced stage…”
T1195.002Compromise Software Supply Chain
56%
“tools deep forensic analysis revealed that, for daemon tools versions 12. 5. 0. 2421 to 12. 5. 0. 2434, the attackers successfully compromised three specific binaries within the software installations. these files are dthelper. exe, discsoftbusservicelite. exe, and dtshellhlp. ex…”
T1072Software Deployment Tools
40%
“hackers abuse daemon tools distribution channel to deliver malicious payloads a sophisticated supply - chain attack has compromised the official distribution channel for daemon tools, delivering multi - stage malware to users worldwide. since april 8, 2026, threat actors have dis…”
T1204.002Malicious File
36%
“command - and - control servers to execute arbitrary shell commands. manual misspellings found in the deployment scripts ( such as typing “ chiper ” instead of “ cipher ” ) strongly indicate live, hands - on - keyboard activity by the hackers. - quic rat : the most advanced stage…”

Summary

A sophisticated supply-chain attack has compromised the official distribution channel for DAEMON Tools, delivering multi-stage malware to users worldwide. Since April 8, 2026, threat actors have distributed trojanized installers signed with legitimate digital certificates to conduct highly targeted cyberespionage operations. Attackers successfully breached the development pipeline of AVB Disc Soft, the creators of the widely […]

The post Hackers Abuse DAEMON Tools Distribution Channel to Deliver Malicious Payloads appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.