[CDP-development] TLP:GREEN (Vulnerability Alert Notification) : CVE-2026-8398: Daemon Tools Lite Embedded Malicious Code Vulnerability

ESO_SOC * DAS ESO.SOC at das.oregon.gov
Wed May 27 12:01:39 PDT 2026 

Good afternoon,

The State of Oregon SOC Services Team is reporting on the vulnerability CVE-2026-8398 affecting DAEMON Tools Lite (Windows installation packages) endpoint management server configuration and agent updates. Due to active exploitation in the wild via signed, compromised official software installers distributed directly from the legitimate vendor website, we are providing this in-depth operational intelligence to assist with immediate remediation and response tracking.

History: The vulnerability was publicly disclosed on May 15, 2026, after security researchers discovered that official software installation packages were altered on the vendor's distribution infrastructure.. The CVSS v3.x base score is 9.8 (CRITICAL) as assigned by Kaspersky Labs.
Affected Versions

  *   DAEMON Tools Lite Windows versions 12.5.0.2421 through 12.5.0.2434.

Fixed Versions

  *   DAEMON Tools Lite Windows version 12.6.0 or later.

Vendor Advisory: DAEMON Tools Security Incident Statement<https://blog.daemon-tools.cc/post/security-incident>

Intelligence: On May 27, 2026, CISA confirmed the vulnerability in the Known Exploited Vulnerabilities Catalog.

Exploitability: Network
Complexity: Low
User Interaction: None
Remotely Exploitable: Yes
Proof of Concept: Not publicly disclosed
Zero Day: Yes

Workarounds: Block all outbound DNS and network tracking queries to *.daemontools[.]cc at the perimeter firewalls and local host levels; Isolate any endpoint that executed a DAEMON Tools Lite installer between 2026-04-08 and 2026-05-05 from the corporate network until forensic analysis is complete.
How it Works: Attackers breached the build or distribution infrastructure of AVB Disc Soft. They injected malicious payload delivery subroutines directly into three essential software binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Following injection, the files were compiled into the standard installation setup packages and signed using the vendor's authentic code-signing certificate. When a user downloads and installs the package from daemon-tools.cc, the execution of the signed, malicious binaries triggers an implicit download chain. The binaries initiate PowerShell stagers that execute memory-resident payloads, establishing encrypted outbound connections to a command-and-control server without requiring exploit complexity or breaking application isolation parameters directly on the host.
Post-Exploit Impact:

  *   Full takeover of the underlying Windows host, enabling arbitrary code execution, lateral movement, data exfiltration, and secondary payload deployment (CWE-506).

Indicators of Compromise (IoCs):
Type
Value
Description / Notes
Source
Filename
DTHelper.exe
Trojanized core executable bundled inside affected DAEMON Tools Lite installers.
Kaspersky Labs
Filename
DiscSoftBusServiceLite.exe
Trojanized background service executable bundled inside affected DAEMON Tools Lite installers.
Kaspersky Labs
Filename
DTShellHlp.exe
Trojanized shell extension helper executable bundled inside affected DAEMON Tools Lite installers.
Kaspersky Labs
Network Domain
*.daemontools[.]cc
Anomalous subdomain lookups used by early-stage trojan components for operational staging.
Kaspersky Labs / IsacChain Advisory
Tenable Plugins:

As of May 27, 2026 Tenable has not announced any plugins for this vulnerability.

Recommended Actions:

Date Added to KEV Catalog: May 27, 2026
Due Date for Remediation: June 17, 2026

  *   Immediately audit all enterprise endpoints for any installations of DAEMON Tools Lite falling within the 12.5.0.2421 to 12.5.0.2434 range.
  *   Completely uninstall compromised software versions and wipe infected hosts if forensics suggest active execution of second-stage payloads.
  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by the vendor to vulnerable systems after testing.
  *   Run all software as a non-privileged user to reduce the impact of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.

EIS Security Operations Center
Enterprise Information Services
Cyber Security Services | CSS
SOC Hotline: (503) 378-5930
SOC at EIS.OREGON.GOV<mailto:SOC at EIS.OREGON.GOV>
[cid:image005.png at 01DCEDCE.6DC7F8A0] [cid:image004.png at 01DCEDCE.6DC7F8A0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260527/3497d12a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 32625 bytes
Desc: image004.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260527/3497d12a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 280765 bytes
Desc: image005.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260527/3497d12a/attachment-0003.png>

More information about the CDP-development mailing list