diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt
index 504f2aaf..072c501b 100644
--- a/iocs/c2-iocs.txt
+++ b/iocs/c2-iocs.txt
@@ -1908,4 +1908,8 @@ repocket.com
 181.214.147.164;65
 192.119.99.42;65
 
-# Last Line
\ No newline at end of file
+# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/
+env-check.daemontools.cc
+38.180.107.76
+
+# Last Line
diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt
index a2b5d583..c02c9bb1 100644
--- a/iocs/filename-iocs.txt
+++ b/iocs/filename-iocs.txt
@@ -4557,7 +4557,17 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85
 \\AppData\\Roaming\\ProShow\\load$;75
 \\AppData\\Roaming\\ProShow\\ProShow\.exe;75
 \\AppData\\Roaming\\Adobe\\Scripts\\alien\.ini;75
-\\AppData\\Roaming\\Adobe\\Scripts\\script.exe;75
+\\AppData\\Roaming\\Adobe\\Scripts\\script\.exe;75
 \\libtcc\.dll;60
 
+# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/
+C:\\Temp\\crypto\.dll;85
+C:\\Windows\\Temp\\envchk\.exe;85
+\\AppData\\Roaming\\Microsoft\\mcrypto\.dat;85
+C:\\Windows\\Temp\\cdg\.exe;85
+C:\\Windows\\Temp\\cdg\.tmp;85
+C:\\Windows\\Temp\\imp\.tmp;85
+C:\\Windows\\Temp\\piyu\.exe;85
+C:\\ProgramData\\Microsoft\\mcrypto\.chiper;85
+
 # End
diff --git a/iocs/hash-iocs.txt b/iocs/hash-iocs.txt
index f56dbfcc..8071c8e1 100644
--- a/iocs/hash-iocs.txt
+++ b/iocs/hash-iocs.txt
@@ -3355,3 +3355,24 @@ aa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efe;ScreenConnect E
 cf265a3a3dd068d0aa0c70248cd6325d;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
 da006a0b9b51d56fa3f9690cf204b99f;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
 ba120e9c7f8896d9148ad37f02b0e3cb;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/
+
+9ccd769624de98eeeb12714ff1707ec4f5bf196d;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+50d47adb6dd45215c7cb4c68bae28b129ca09645;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+0c1d3da9c7a651ba40b40e12d48ebd32b3f31820;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+28b72576d67ae21d9587d782942628ea46dcc870;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+46b90bf370e60d61075d3472828fdc0b85ab0492;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+6325179f442e5b1a716580cd70dea644ac9ecd18;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+bd8fbb5e6842df8683163adbd6a36136164eac58;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+524d2d92909eef80c406e87a0fc37d7bb4dadc14;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+427f1728682ebc7ffe3300fef67d0e3cb6b62948;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+8e7eb0f5ac60dd3b4a9474d2544348c3bda48045;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+00e2df8f42d14072e4385e500d4669ec783aa517;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+aea55e42c4436236278e5692d3dcbcbe5fe6ce0b;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+0456e2f5f56ec8ed16078941248e7cbba9f1c8eb;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+9a09ad7b7e9ff7a465aa1150541e231189911afb;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+8d435918d304fc38d54b104a13f2e33e8e598c82;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+64462f751788f529c1eb09023b26a47792ecdc54;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+2d4eb55b01f59c62c6de9aacba9b47267d398fe4;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+9dbfc23ebf36b3c0b56d2f93116abb32656c42e4;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
+295ce86226b933e7262c2ce4b36bdd6c389aaaef;DAEMON Tools Lite supplychain compromise IOCs  https://securelist.com/tr/daemon-tools-backdoor/119654/
diff --git a/yara/threat_compromised_daemon_tools_lite_may26.yar b/yara/threat_compromised_daemon_tools_lite_may26.yar
new file mode 100644
index 00000000..4b1de66d
--- /dev/null
+++ b/yara/threat_compromised_daemon_tools_lite_may26.yar
@@ -0,0 +1,88 @@
+rule MAL_Information_Collector_May26 {
+   meta:
+      description = "Detects reconaissance payload used in the DAEMON Tools supplychain compromise. The tools collects detailed information about the infected system like hardware, installed software, running processes etc. all data is exfilled to an attacker controlled server."
+      author = "MalGamy, Jonathan Peters (cod3nym)"
+      date = "2026-05-05"
+      reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
+      hash = "a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df"
+      score = 80
+   strings:
+      $x1 = ": InfoCollector.exe <" wide
+
+      $s1 = "CollectInstalledSoftwareSemicolon" ascii
+      $s2 = "GetRc4KeyFromUrl" ascii
+      $s3 = "InfoGatherer" ascii
+
+      $op1 = { 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 28 ?? ?? ?? 0A 13 ?? 11 ?? 16 36 3A 11 ?? 1E 35 ?? 1E 8D ?? ?? ?? 01 13 ?? 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 11 ?? 16 11 ?? 28 ?? ?? ?? 0A }
+      $op2 = { 02 73 ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 6F ?? ?? ?? 0A 0A 06 72 ?? ?? ?? 70 7E ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 6F ?? ?? ?? 0A 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 0B DE }
+   condition:
+      uint16(0) == 0x5a4d
+      and filesize < 50KB
+      and (
+         $x1
+         or all of ($op*)
+         or all of ($s*)
+      )
+}
+
+rule MAL_DAEMON_Tools_Lite_Compromised_May26 {
+   meta:
+      description = "Detects compromised DAEMON Tools Lite versions deployed in a supplychain compromise campaign affected versions include: 12.5.0.2421 up to 12.5.0.2434 The infected binaries drop Quic RAT and various custom data exfiltration payloads."
+      author = "Jonathan Peters (cod3nym)"
+      date = "2026-05-05"
+      reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
+      hash = "12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8"
+      hash = "0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212"
+      hash = "d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0"
+      score = 80
+   strings:
+      $sa1 = { 31 03 35 55 e4 c4 32 2d a9 e0 b3 81 6d 14 38 4e }  // certificate serial number
+      $sa2 = "AVB Disc Soft, SIA" ascii
+      $sa3 = "DAEMON Tools Lite" ascii wide
+
+      $re = /12\.5\.0\.24(21|22|23|24|25|26|27|28|29|30|31|33|34)/ ascii wide
+   condition:
+      uint16(0) == 0x5a4d
+      and all of ($sa*)
+      and $re
+}
+
+rule MAL_Backdoor_May26 {
+   meta:
+      description = "Detects a backdoor smuggled into signed DAEMON Tools binaries via supply-chain compromise, receives encrypted commands over HTTPS to execute arbitrary shell commands and drop files on victim hosts."
+      author = "MalGamy"
+      date = "2026-05-05"
+      reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
+      hash = "5d581534b48d09855ac045aaf9b196ca26396a6c08616213f9f9afc656849c2f"
+      score = 80
+   strings:
+      $op1 = { 48 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 7D ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 75 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 95 }
+      $op2 = { 4D 8D 40 ?? 99 41 FF C1 41 F7 FB 48 63 C2 0F B6 8C 05 ?? ?? ?? ?? 41 30 48 ?? 49 83 EA }
+   condition:
+      all of them
+}
+
+rule MAL_Minimalistic_Backdoor_May26 {
+   meta:
+      description = "Detects minimalistic backdoor deployment where a shellcode loader downloads an encrypted payload and executes it in memory after RC4 decryption using a command-line provided key"
+      author = "MalGamy"
+      date = "2026-05-05"
+      reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/"
+      hash = "395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c"
+      score = 80
+   strings:
+      $x1 = "Note: if multiple processes load the DLL," wide
+      $x2 = "Inject (shellcode file is RC4 ciphertext; key is a UTF-8 string" wide
+
+      $s1 = "Error: VirtualAllocEx failed, Win" wide
+      $s2 = "Try running as administrator; " wide
+      $s3 = ", shellcode size: " wide
+      $s4 = "input file path cannot be empty." wide
+   condition:
+      uint16(0) == 0x5a4d
+      and filesize < 50KB
+      and (
+         1 of ($x*)
+         or all of ($s*)
+      )
+}