From a3eaaedb722e3d8fb0b558a5cfb0e938be26f796 Mon Sep 17 00:00:00 2001 From: Vendeta Date: Fri, 15 May 2026 19:23:17 +0300 Subject: [PATCH] Improve GHSA-rm3r-35x9-jv93 --- .../GHSA-rm3r-35x9-jv93.json | 32 +++++++++++++++---- 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/advisories/unreviewed/2026/05/GHSA-rm3r-35x9-jv93/GHSA-rm3r-35x9-jv93.json b/advisories/unreviewed/2026/05/GHSA-rm3r-35x9-jv93/GHSA-rm3r-35x9-jv93.json index d9eecc9494e59..7b3a63a8b3564 100644 --- a/advisories/unreviewed/2026/05/GHSA-rm3r-35x9-jv93/GHSA-rm3r-35x9-jv93.json +++ b/advisories/unreviewed/2026/05/GHSA-rm3r-35x9-jv93/GHSA-rm3r-35x9-jv93.json @@ -1,23 +1,43 @@ { "schema_version": "1.4.0", "id": "GHSA-rm3r-35x9-jv93", - "modified": "2026-05-15T09:31:32Z", + "modified": "2026-05-15T09:31:43Z", "published": "2026-05-15T09:31:32Z", "aliases": [ "CVE-2026-8398" ], - "details": "A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.", + "summary": "Supply Chain Compromise in DAEMON Tools Lite Delivering Malicious Backdoor", + "details": "### Summary\nA highly targeted supply chain attack compromised the official installation infrastructure of DAEMON Tools Lite, a disk imaging utility developed by AVB Disc Soft. Between approximately April 8, 2026, and May 5, 2026, installers distributed via the official vendor website (`daemon-tools.cc`) contained trojanized versions of three core application binaries: `DTHelper.exe`, `DiscSoftBusServiceLite.exe`, and `DTShellHlp.exe`. \n\nBecause the threat actors gained access to the vendor's signing infrastructure, the modified, malicious binaries were signed with a valid, legitimate AVB Disc Soft digital code-signing certificate, effectively bypassing traditional security mechanisms and signature-based antivirus detection.\n\n### Mechanism & Impact\nWhen any of the affected binaries are executed (which occurs automatically at system startup), an embedded backdoor initializes inside a dedicated thread within the C Runtime (CRT) initialization setup. The backdoor communicates via HTTP GET requests containing system profiling information to a typosquatted command-and-control (C2) server (`env-check.daemontools[.]cc`). \n\nFollowing initial victim profiling, the threat actors selectively deployed secondary advanced implants (such as a custom PowerShell stager and a complex C++ tool dubbed \"QUIC RAT\") to a limited subset of enterprise targets across critical infrastructure, manufacturing, and government sectors.\n\n### Remediation\nUninstall compromised versions of DAEMON Tools Lite completely. Update systems immediately to version **12.6.0.2445** or later, which completely addresses the security compromise and removes the malicious modules. \n\nSecurity teams should audit internal endpoints for installation or execution timestamps of DAEMON Tools Lite between April 8, 2026, and May 6, 2026, to investigate potential secondary post-exploitation maneuvers.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" - }, + } + ], + "affected": [ { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "Packagist", + "name": "" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "12.5.0.2421" + }, + { + "fixed": "= 12.6.0.2445" + } + ] + } + ], + "versions": [ + "12.5.0.2421" + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",