<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
h4
{mso-style-priority:9;
mso-style-link:"Heading 4 Char";
mso-margin-top-alt:auto;
margin-right:0in;
margin-bottom:2.4pt;
margin-left:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;
color:black;
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.Heading4Char
{mso-style-name:"Heading 4 Char";
mso-style-priority:9;
mso-style-link:"Heading 4";
font-family:"Aptos",sans-serif;
color:#0F4761;
font-style:italic;}
span.first-word1
{mso-style-name:first-word1;
font-weight:bold;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:738555435;
mso-list-template-ids:1329344854;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1
{mso-list-id:1114636321;
mso-list-template-ids:757351046;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2
{mso-list-id:1131366947;
mso-list-template-ids:-1224962186;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3
{mso-list-id:1294410404;
mso-list-template-ids:1637383318;}
@list l3:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Good afternoon,<o:p></o:p></span></p>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">The State of Oregon SOC Services Team is reporting on the vulnerability
<b>CVE-2026-8398</b> affecting <b>DAEMON Tools Lite (Windows installation packages)</b> endpoint management server configuration and agent updates. Due to active exploitation in the wild via signed, compromised official software installers distributed directly
from the legitimate vendor website, we are providing this in-depth operational intelligence to assist with immediate remediation and response tracking.
<o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">History:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> The vulnerability was publicly disclosed on May 15, 2026, after security
researchers discovered that official software installation packages were altered on the vendor's distribution infrastructure.. The CVSS v3.x base score is 9.8 (CRITICAL) as assigned by Kaspersky Labs.<o:p></o:p></span></h4>
<h4><span lang="EN" style="font-family:"Calibri",sans-serif">Affected Versions<o:p></o:p></span></h4>
<ul type="disc" id="affectedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1">
<span lang="EN" style="font-family:"Calibri",sans-serif">DAEMON Tools Lite Windows versions 12.5.0.2421 through 12.5.0.2434.<o:p></o:p></span></li></ul>
<h4><span lang="EN" style="font-family:"Calibri",sans-serif">Fixed Versions<o:p></o:p></span></h4>
<ul type="disc" id="fixedVersionsList">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l1 level1 lfo2">
<span lang="EN" style="font-family:"Calibri",sans-serif">DAEMON Tools Lite Windows version 12.6.0 or later.<o:p></o:p></span></li></ul>
<p><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Vendor Advisory:
<a href="https://blog.daemon-tools.cc/post/security-incident">DAEMON Tools Security Incident Statement</a><o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Intelligence:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> On May 27, 2026, CISA confirmed the vulnerability in the Known Exploited
Vulnerabilities Catalog.<o:p></o:p></span></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Exploitability:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> Network
<br>
<strong><span style="font-family:"Calibri",sans-serif">Complexity:</span></strong> Low<br>
<strong><span style="font-family:"Calibri",sans-serif">User Interaction:</span></strong> None<br>
<strong><span style="font-family:"Calibri",sans-serif">Remotely Exploitable:</span></strong> Yes<br>
<strong><span style="font-family:"Calibri",sans-serif">Proof of Concept:</span></strong> Not publicly disclosed<br>
<strong><span style="font-family:"Calibri",sans-serif">Zero Day:</span></strong> Yes
<o:p></o:p></span></p>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Workarounds:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> Block all outbound DNS and network tracking queries to *.daemontools[.]cc
at the perimeter firewalls and local host levels; Isolate any endpoint that executed a DAEMON Tools Lite installer between 2026-04-08 and 2026-05-05 from the corporate network until forensic analysis is complete.<o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">How it Works:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"> Attackers breached the build or distribution infrastructure of AVB
Disc Soft. They injected malicious payload delivery subroutines directly into three essential software binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Following injection, the files were compiled into the standard installation setup
packages and signed using the vendor's authentic code-signing certificate. When a user downloads and installs the package from daemon-tools.cc, the execution of the signed, malicious binaries triggers an implicit download chain. The binaries initiate PowerShell
stagers that execute memory-resident payloads, establishing encrypted outbound connections to a command-and-control server without requiring exploit complexity or breaking application isolation parameters directly on the host.<o:p></o:p></span></h4>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Post-Exploit Impact:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<ul type="disc" id="postExploitImpactList">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l3 level1 lfo3">
<span lang="EN" style="font-family:"Calibri",sans-serif">Full takeover of the underlying Windows host, enabling arbitrary code execution, lateral movement, data exfiltration, and secondary payload deployment (CWE-506).<o:p></o:p></span></li></ul>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Indicators of Compromise (IoCs):</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="68%" style="width:68.18%;border-collapse:collapse">
<thead>
<tr>
<td width="11%" style="width:11.88%;border:solid #CCCCCC 1.0pt;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Type<o:p></o:p></span></b></p>
</td>
<td width="17%" style="width:17.9%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Value<o:p></o:p></span></b></p>
</td>
<td width="50%" style="width:50.94%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Description / Notes<o:p></o:p></span></b></p>
</td>
<td width="19%" style="width:19.28%;border:solid #CCCCCC 1.0pt;border-left:none;background:#F2F2F2;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><b><span style="font-family:"Calibri",sans-serif;color:black">Source<o:p></o:p></span></b></p>
</td>
</tr>
</thead>
<tbody>
<tr>
<td width="11%" style="width:11.88%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Filename<o:p></o:p></span></p>
</td>
<td width="17%" style="width:17.9%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">DTHelper.exe<o:p></o:p></span></p>
</td>
<td width="50%" style="width:50.94%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Trojanized core executable bundled inside affected DAEMON Tools Lite installers.<o:p></o:p></span></p>
</td>
<td width="19%" style="width:19.28%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Kaspersky Labs<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="11%" style="width:11.88%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Filename<o:p></o:p></span></p>
</td>
<td width="17%" style="width:17.9%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">DiscSoftBusServiceLite.exe<o:p></o:p></span></p>
</td>
<td width="50%" style="width:50.94%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Trojanized background service executable bundled inside affected DAEMON Tools Lite installers.<o:p></o:p></span></p>
</td>
<td width="19%" style="width:19.28%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Kaspersky Labs<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="11%" style="width:11.88%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Filename<o:p></o:p></span></p>
</td>
<td width="17%" style="width:17.9%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">DTShellHlp.exe<o:p></o:p></span></p>
</td>
<td width="50%" style="width:50.94%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Trojanized shell extension helper executable bundled inside affected DAEMON Tools Lite installers.<o:p></o:p></span></p>
</td>
<td width="19%" style="width:19.28%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Kaspersky Labs<o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="11%" style="width:11.88%;border:solid #CCCCCC 1.0pt;border-top:none;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Network Domain<o:p></o:p></span></p>
</td>
<td width="17%" style="width:17.9%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">*.daemontools[.]cc<o:p></o:p></span></p>
</td>
<td width="50%" style="width:50.94%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Anomalous subdomain lookups used by early-stage trojan components for operational staging.<o:p></o:p></span></p>
</td>
<td width="19%" style="width:19.28%;border-top:none;border-left:none;border-bottom:solid #CCCCCC 1.0pt;border-right:solid #CCCCCC 1.0pt;padding:6.0pt 6.0pt 6.0pt 6.0pt">
<p class="MsoNormal" align="center" style="margin-top:12.0pt;text-align:center"><span style="font-family:"Calibri",sans-serif;color:black">Kaspersky Labs / IsacChain Advisory<o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Tenable Plugins:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<div id="tenablePluginsContainer">
<p style="mso-margin-top-alt:6.0pt;margin-right:0in;margin-bottom:6.0pt;margin-left:0in">
<span lang="EN" style="font-family:"Calibri",sans-serif;color:black">As of May 27, 2026 Tenable has not announced any plugins for this vulnerability.<o:p></o:p></span></p>
</div>
<h4><span class="first-word1"><span lang="EN" style="font-family:"Calibri",sans-serif">Recommended Actions:</span></span><span lang="EN" style="font-family:"Calibri",sans-serif;font-weight:normal"><o:p></o:p></span></h4>
<p><strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black">Date Added to KEV Catalog:</span></strong><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"> May 27, 2026<br>
<strong><span style="font-family:"Calibri",sans-serif">Due Date for Remediation:</span></strong> June 17, 2026
<o:p></o:p></span></p>
<ul type="disc">
<li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Immediately audit all enterprise endpoints for any installations of DAEMON Tools Lite falling within the 12.5.0.2421 to 12.5.0.2434 range.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Completely uninstall compromised software versions and wipe infected hosts if forensics suggest active execution of second-stage payloads.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Verify host has not been compromised before applying patches.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply appropriate updates provided by the vendor to vulnerable systems after testing.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Run all software as a non-privileged user to reduce the impact of a successful attack.<o:p></o:p></span></li><li class="MsoNormal" style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l2 level1 lfo4">
<span lang="EN" style="font-family:"Calibri",sans-serif">Apply the Principle of Least Privilege to all systems and services.<o:p></o:p></span></li></ul>
<p class="MsoNormal"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;color:black">EIS Security Operations Center</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Enterprise Information Services</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black">Cyber Security Services | CSS</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">SOC Hotline: (503) 378-5930</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"><a href="mailto:SOC@EIS.OREGON.GOV"><span style="color:#467886">SOC@EIS.OREGON.GOV</span></a></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;color:black"><img border="0" width="54" height="54" style="width:.5625in;height:.5625in" id="Picture_x0020_2" src="cid:image005.png@01DCEDCE.6DC7F8A0"></span><span style="font-size:11.0pt;color:black"> <img border="0" width="205" height="53" style="width:2.1354in;height:.552in" id="Picture_x0020_1" src="cid:image004.png@01DCEDCE.6DC7F8A0"></span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black"> </span><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span lang="EN" style="font-family:"Calibri",sans-serif;color:black"><o:p> </o:p></span></p>
</div>
</body>
</html>