DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise

Suspected
Discovered May 31, 2026

CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.

0
Affected Packages
11
Observables
5
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
mcrypto[.]dat
env-check[.]daemontools[.]cc
38[.]180[.]107[.]76
9ccd769624de98eeeb12714ff1707ec4f5bf196d
50d47adb6dd45215c7cb4c68bae28b129ca09645

Analysis

Executive Summary

CISA added CVE-2026-8398 to KEV on 2026-05-27, describing an embedded malicious-code vulnerability in DAEMON Tools Lite [raw.githubusercontent.com opens in a new tab]. Disc Soft's incident notice says unauthorized interference in its infrastructure caused some installation packages to be released in a compromised state, and that DAEMON Tools Lite 12.6.0.2445 replaced the affected build [blog.daemon-tools.cc opens in a new tab].

Kaspersky's research reported a signed-installer supply-chain attack affecting DAEMON Tools Lite versions in the 12.5.0.2421 through 12.5.0.2434 range, with malicious code in DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe [Sources 3, 5]. The implanted startup code contacted a typosquatted command server, collected host and software inventory, and selectively delivered a minimal backdoor and, in one observed organization, QUIC RAT [securelist.com opens in a new tab]. Treat installs of the affected free Lite version during the April-May 2026 window as endpoint compromise leads until local evidence proves otherwise.

Key Facts

Event Id: daemon-tools-lite-cve-2026-8398-supply-chain

Cve: CVE-2026-8398

Vendor: Disc Soft / DAEMON Tools

Product: DAEMON Tools Lite

Kev Added: 2026-05-27

Kev Due: 2026-05-30

Affected Versions Reported:

  • 12.5.0.2421 through 12.5.0.2434
  • DAEMON Tools Lite 12.5.1 free, per vendor user guidance

Clean Version: 12.6.0.2445

Distribution Window: approximately 2026-04-08 through 2026-05-05

Trojanized Binaries:

  • DTHelper.exe
  • DiscSoftBusServiceLite.exe
  • DTShellHlp.exe

Payloads Reported:

  • host information collector
  • minimalistic backdoor
  • QUIC RAT

Last Verified: 2026-06-10

Evidence Assessment

  • confirmed: CISA lists CVE-2026-8398 in KEV with active exploitation evidence and a 2026-05-30 due date [raw.githubusercontent.com opens in a new tab].
  • confirmed: The vendor states unauthorized interference affected its infrastructure and that certain installation packages were released compromised [blog.daemon-tools.cc opens in a new tab].
  • confirmed: The vendor says DAEMON Tools Lite 12.6.0.2445 no longer exhibits the incident behavior and that affected 12.5.1 free users should uninstall, scan, and install 12.6 [blog.daemon-tools.cc opens in a new tab].
  • reported by primary research: Kaspersky identifies the affected 12.5.0.2421-12.5.0.2434 range and three modified signed binaries [kaspersky.com opens in a new tab].
  • reported by primary research: Kaspersky observed thousands of attempted payload deployments across more than 100 countries, but later-stage payloads on only about a dozen systems; this supports broad installer exposure but selective follow-on targeting [Sources 3, 5].
  • confirmed IOC mapping: Kaspersky published the command domain, IP address, payload paths, and SHA-1 values listed below [securelist.com opens in a new tab].
  • unclear: Public sources do not provide a full build-system root cause or complete victim list.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseA host installed or executed an affected DAEMON Tools Lite build and malicious binary/process/network evidence is present.Installed version, file inventory, process telemetry, persistence evidence, EDR detections, network logs, and user timeline.Isolate host, preserve disk and memory where possible, remove affected software, run full malware response, and reset credentials used on the host.
Presumed exposedA host installed DAEMON Tools Lite 12.5.1 free or a 12.5.0.2421-12.5.0.2434 build during the affected period but runtime telemetry is incomplete.Software inventory, installer cache, download logs, browser history, package hash, or vendor path evidence.Treat as exposed and perform endpoint triage before returning host to normal use.
Potentially exposedDAEMON Tools Lite is present but version and install date are unavailable.Registry uninstall keys, EDR inventory, file metadata, prefetch, AmCache/ShimCache, installer cache, and proxy logs.Reconstruct version and execution timeline.
Not exposedNo DAEMON Tools Lite install, or only verified 12.6.0.2445+ from official sources after the vendor cleanup.Negative inventory and file evidence, or clean-version proof.Preserve evidence and block affected installers in software controls.

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Hashes

  • 9ccd769624de98eeeb12714ff1707ec4f5bf196d
  • 50d47adb6dd45215c7cb4c68bae28b129ca09645
  • 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820
  • 28b72576d67ae21d9587d782942628ea46dcc870
  • 46b90bf370e60d61075d3472828fdc0b85ab0492
  • 6325179f442e5b1a716580cd70dea644ac9ecd18
  • bd8fbb5e6842df8683163adbd6a36136164eac58
  • 15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29

Domains

  • mcrypto.dat
  • env-check[.]daemontools[.]cc

Ips

  • 38[.]180[.]107[.]76

Remediation and Closure

Uninstall affected DAEMON Tools Lite builds, install only the verified 12.6 or later official build if the tool is still required, and run a full endpoint scan as the vendor recommends [blog.daemon-tools.cc opens in a new tab]. For enterprise response, also collect persistence artifacts, process execution history, browser/download history, proxy logs, and credentials used on the host during the affected period.

Closure requires a clean software inventory, no affected binaries remaining on disk, endpoint scan or EDR review evidence, and a decision on whether local credentials need rotation based on what the host could access.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
May 31, 2026DiscoveryDiscovery recorded for DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise.securelist.com
May 31, 2026DisclosureDisclosure recorded for DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise.securelist.com
May 31, 2026DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain CompromiseUnknownsecurelist.com
May 31, 2026First seenFirst seen recorded for DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise.securelist.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

11 IOCs
domainmcrypto.dat
domainenv-check.daemontools.cc
ip38.180.107.76
hash9ccd769624de98eeeb12714ff1707ec4f5bf196d
hash50d47adb6dd45215c7cb4c68bae28b129ca09645
hash0c1d3da9c7a651ba40b40e12d48ebd32b3f31820
hash28b72576d67ae21d9587d782942628ea46dcc870
hash46b90bf370e60d61075d3472828fdc0b85ab0492
hash6325179f442e5b1a716580cd70dea644ac9ecd18
hashbd8fbb5e6842df8683163adbd6a36136164eac58
hash15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabsecurelist.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-daemon-tools-lite-cve-2026-8398-supply-chain-scope"))

DOMAINS = ["mcrypto.dat","env-check.daemontools.cc"]
IPS = ["38.180.107.76"]
HASHES = ["9ccd769624de98eeeb12714ff1707ec4f5bf196d","50d47adb6dd45215c7cb4c68bae28b129ca09645","0c1d3da9c7a651ba40b40e12d48ebd32b3f31820","28b72576d67ae21d9587d782942628ea46dcc870","46b90bf370e60d61075d3472828fdc0b85ab0492","6325179f442e5b1a716580cd70dea644ac9ecd18","bd8fbb5e6842df8683163adbd6a36136164eac58","15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29"]

# Collect unique indicators
indicators = set()
for group in [DOMAINS, IPS, HASHES]:
    for val in group:
        if val:
            indicators.add(val)

            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if "PACKAGES" in globals() and PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

5 of 5 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
securelist.comSecurity Researcher95%1CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
blog.daemon-tools.ccSecurity Researcher95%1CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
kaspersky.comSecurity Researcher95%1CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
raw.githubusercontent.comVendor95%1CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
nvd.nist.govSecurity Researcher95%1CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise — Halting Problems