From 7b9412bdebfe0ba9982fe51d086441a1805e9fb8 Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Tue, 5 May 2026 17:28:44 +0200 Subject: [PATCH 1/5] Create threat_compromised_daemon_tools_lite_may26.yar --- ...at_compromised_daemon_tools_lite_may26.yar | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 yara/threat_compromised_daemon_tools_lite_may26.yar diff --git a/yara/threat_compromised_daemon_tools_lite_may26.yar b/yara/threat_compromised_daemon_tools_lite_may26.yar new file mode 100644 index 00000000..4b1de66d --- /dev/null +++ b/yara/threat_compromised_daemon_tools_lite_may26.yar @@ -0,0 +1,88 @@ +rule MAL_Information_Collector_May26 { + meta: + description = "Detects reconaissance payload used in the DAEMON Tools supplychain compromise. The tools collects detailed information about the infected system like hardware, installed software, running processes etc. all data is exfilled to an attacker controlled server." + author = "MalGamy, Jonathan Peters (cod3nym)" + date = "2026-05-05" + reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" + hash = "a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df" + score = 80 + strings: + $x1 = ": InfoCollector.exe <" wide + + $s1 = "CollectInstalledSoftwareSemicolon" ascii + $s2 = "GetRc4KeyFromUrl" ascii + $s3 = "InfoGatherer" ascii + + $op1 = { 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 28 ?? ?? ?? 0A 13 ?? 11 ?? 16 36 3A 11 ?? 1E 35 ?? 1E 8D ?? ?? ?? 01 13 ?? 09 7E ?? ?? ?? 04 28 ?? ?? ?? 0A 11 ?? 16 11 ?? 28 ?? ?? ?? 0A } + $op2 = { 02 73 ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 6F ?? ?? ?? 0A 0A 06 72 ?? ?? ?? 70 7E ?? ?? ?? 0A 6F ?? ?? ?? 0A 0A 06 6F ?? ?? ?? 0A 2D ?? 72 ?? ?? ?? 70 0B DE ?? 06 0B DE } + condition: + uint16(0) == 0x5a4d + and filesize < 50KB + and ( + $x1 + or all of ($op*) + or all of ($s*) + ) +} + +rule MAL_DAEMON_Tools_Lite_Compromised_May26 { + meta: + description = "Detects compromised DAEMON Tools Lite versions deployed in a supplychain compromise campaign affected versions include: 12.5.0.2421 up to 12.5.0.2434 The infected binaries drop Quic RAT and various custom data exfiltration payloads." + author = "Jonathan Peters (cod3nym)" + date = "2026-05-05" + reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" + hash = "12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8" + hash = "0066ed9b9de2b8e251f7bcf73edcb549218179398cf90124a221958fedce6212" + hash = "d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0" + score = 80 + strings: + $sa1 = { 31 03 35 55 e4 c4 32 2d a9 e0 b3 81 6d 14 38 4e } // certificate serial number + $sa2 = "AVB Disc Soft, SIA" ascii + $sa3 = "DAEMON Tools Lite" ascii wide + + $re = /12\.5\.0\.24(21|22|23|24|25|26|27|28|29|30|31|33|34)/ ascii wide + condition: + uint16(0) == 0x5a4d + and all of ($sa*) + and $re +} + +rule MAL_Backdoor_May26 { + meta: + description = "Detects a backdoor smuggled into signed DAEMON Tools binaries via supply-chain compromise, receives encrypted commands over HTTPS to execute arbitrary shell commands and drop files on victim hosts." + author = "MalGamy" + date = "2026-05-05" + reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" + hash = "5d581534b48d09855ac045aaf9b196ca26396a6c08616213f9f9afc656849c2f" + score = 80 + strings: + $op1 = { 48 8D 8D ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 7D ?? C7 45 ?? ?? ?? ?? ?? F3 0F 7F 75 ?? C7 45 ?? ?? ?? ?? ?? C7 45 ?? ?? ?? ?? ?? 66 C7 45 ?? ?? ?? C6 45 ?? ?? FF 15 ?? ?? ?? ?? 48 8D 15 ?? ?? ?? ?? 48 8D 8D ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 48 8D 95 } + $op2 = { 4D 8D 40 ?? 99 41 FF C1 41 F7 FB 48 63 C2 0F B6 8C 05 ?? ?? ?? ?? 41 30 48 ?? 49 83 EA } + condition: + all of them +} + +rule MAL_Minimalistic_Backdoor_May26 { + meta: + description = "Detects minimalistic backdoor deployment where a shellcode loader downloads an encrypted payload and executes it in memory after RC4 decryption using a command-line provided key" + author = "MalGamy" + date = "2026-05-05" + reference = "https://securelist.com/tr/daemon-tools-backdoor/119654/" + hash = "395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c" + score = 80 + strings: + $x1 = "Note: if multiple processes load the DLL," wide + $x2 = "Inject (shellcode file is RC4 ciphertext; key is a UTF-8 string" wide + + $s1 = "Error: VirtualAllocEx failed, Win" wide + $s2 = "Try running as administrator; " wide + $s3 = ", shellcode size: " wide + $s4 = "input file path cannot be empty." wide + condition: + uint16(0) == 0x5a4d + and filesize < 50KB + and ( + 1 of ($x*) + or all of ($s*) + ) +} From e7129ee269cd16f521a35d30f855a5bd3503f182 Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Tue, 5 May 2026 17:31:38 +0200 Subject: [PATCH 2/5] Add IOCs for # DAEMON Tools Lite supplychain comrpomise --- iocs/filename-iocs.txt | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt index a2b5d583..5e0c9cbe 100644 --- a/iocs/filename-iocs.txt +++ b/iocs/filename-iocs.txt @@ -4560,4 +4560,14 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85 \\AppData\\Roaming\\Adobe\\Scripts\\script.exe;75 \\libtcc\.dll;60 +# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/ +C:\\Temp\\crypto.dll;85 +C:\\Windows\\Temp\\envchk.exe;85 +\\AppData\\Roaming\\Microsoft\\mcrypto.dat;85 +C:\\Windows\\Temp\\cdg.exe;85 +C:\\Windows\\Temp\\cdg.tmp;85 +C:\\Windows\\Temp\\imp.tmp;85 +C:\\Windows\\Temp\\piyu.exe;85 +C:\\ProgramData\\Microsoft\\mcrypto.chiper;85 + # End From c86468d165fca97ea64e29114471bc16af86157a Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Tue, 5 May 2026 17:33:15 +0200 Subject: [PATCH 3/5] Add IOCs for DAEMON Tools Lite supplychain compromise --- iocs/c2-iocs.txt | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/iocs/c2-iocs.txt b/iocs/c2-iocs.txt index 504f2aaf..072c501b 100644 --- a/iocs/c2-iocs.txt +++ b/iocs/c2-iocs.txt @@ -1908,4 +1908,8 @@ repocket.com 181.214.147.164;65 192.119.99.42;65 -# Last Line \ No newline at end of file +# DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/ +env-check.daemontools.cc +38.180.107.76 + +# Last Line From d8dcdaa68b1f4a5ff16c6ffd5ee111dccaaa93fa Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Tue, 5 May 2026 17:36:31 +0200 Subject: [PATCH 4/5] Add DAEMON Tools Lite supplychain compromise IOCs --- iocs/hash-iocs.txt | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/iocs/hash-iocs.txt b/iocs/hash-iocs.txt index f56dbfcc..8071c8e1 100644 --- a/iocs/hash-iocs.txt +++ b/iocs/hash-iocs.txt @@ -3355,3 +3355,24 @@ aa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed45657d7f333a0efe;ScreenConnect E cf265a3a3dd068d0aa0c70248cd6325d;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ da006a0b9b51d56fa3f9690cf204b99f;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ ba120e9c7f8896d9148ad37f02b0e3cb;perfctl IOCs https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/ + +9ccd769624de98eeeb12714ff1707ec4f5bf196d;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +50d47adb6dd45215c7cb4c68bae28b129ca09645;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +0c1d3da9c7a651ba40b40e12d48ebd32b3f31820;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +28b72576d67ae21d9587d782942628ea46dcc870;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +46b90bf370e60d61075d3472828fdc0b85ab0492;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +6325179f442e5b1a716580cd70dea644ac9ecd18;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +bd8fbb5e6842df8683163adbd6a36136164eac58;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +524d2d92909eef80c406e87a0fc37d7bb4dadc14;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +427f1728682ebc7ffe3300fef67d0e3cb6b62948;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +8e7eb0f5ac60dd3b4a9474d2544348c3bda48045;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +00e2df8f42d14072e4385e500d4669ec783aa517;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +aea55e42c4436236278e5692d3dcbcbe5fe6ce0b;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +0456e2f5f56ec8ed16078941248e7cbba9f1c8eb;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +9a09ad7b7e9ff7a465aa1150541e231189911afb;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +8d435918d304fc38d54b104a13f2e33e8e598c82;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +64462f751788f529c1eb09023b26a47792ecdc54;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +2d4eb55b01f59c62c6de9aacba9b47267d398fe4;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +9dbfc23ebf36b3c0b56d2f93116abb32656c42e4;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ +295ce86226b933e7262c2ce4b36bdd6c389aaaef;DAEMON Tools Lite supplychain compromise IOCs https://securelist.com/tr/daemon-tools-backdoor/119654/ From a379cecce96905b304b4c07682c52f9cb617f819 Mon Sep 17 00:00:00 2001 From: Jonathan Peters <143413578+cod3nym@users.noreply.github.com> Date: Tue, 5 May 2026 17:52:11 +0200 Subject: [PATCH 5/5] fix: unescaped dot character in filename IOCs --- iocs/filename-iocs.txt | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/iocs/filename-iocs.txt b/iocs/filename-iocs.txt index 5e0c9cbe..c02c9bb1 100644 --- a/iocs/filename-iocs.txt +++ b/iocs/filename-iocs.txt @@ -4557,17 +4557,17 @@ C:\\perflogs\\RunSchedulerTaskOnce\.ps1;85 \\AppData\\Roaming\\ProShow\\load$;75 \\AppData\\Roaming\\ProShow\\ProShow\.exe;75 \\AppData\\Roaming\\Adobe\\Scripts\\alien\.ini;75 -\\AppData\\Roaming\\Adobe\\Scripts\\script.exe;75 +\\AppData\\Roaming\\Adobe\\Scripts\\script\.exe;75 \\libtcc\.dll;60 # DAEMON Tools Lite supplychain comrpomise https://securelist.com/tr/daemon-tools-backdoor/119654/ -C:\\Temp\\crypto.dll;85 -C:\\Windows\\Temp\\envchk.exe;85 -\\AppData\\Roaming\\Microsoft\\mcrypto.dat;85 -C:\\Windows\\Temp\\cdg.exe;85 -C:\\Windows\\Temp\\cdg.tmp;85 -C:\\Windows\\Temp\\imp.tmp;85 -C:\\Windows\\Temp\\piyu.exe;85 -C:\\ProgramData\\Microsoft\\mcrypto.chiper;85 +C:\\Temp\\crypto\.dll;85 +C:\\Windows\\Temp\\envchk\.exe;85 +\\AppData\\Roaming\\Microsoft\\mcrypto\.dat;85 +C:\\Windows\\Temp\\cdg\.exe;85 +C:\\Windows\\Temp\\cdg\.tmp;85 +C:\\Windows\\Temp\\imp\.tmp;85 +C:\\Windows\\Temp\\piyu\.exe;85 +C:\\ProgramData\\Microsoft\\mcrypto\.chiper;85 # End