Executive Summary

The May 7–8, 2026 threat window is characterised by a high-tempo mix of supply chain compromise, zero-day exploitation of network edge devices, and state-sponsored espionage campaigns. The confirmed trojanisation of DAEMON Tools official installers by a China-assessed adversary represents a significant supply-chain incident affecting users in more than 100 countries. Concurrently, Palo Alto Networks' PAN-OS zero-day (CVE-2026-0300) reached the "ATTACKED" exploit-maturity stage with root-level RCE possible against unauthenticated internet-facing firewalls. CISA active-exploitation warnings for the Linux "Copy Fail" privilege escalation (CVE-2026-31431) and the Windows NTLM zero-click hash leak (CVE-2026-32202) have tightened federal patch deadlines to May 12–15 with active exploitation now confirmed in both cases.

Top Priorities:

Threat Landscape Overview

#Threat ClusterSeverityTarget SectorsAttributionStatusTimestamp
1DAEMON Tools Supply Chain BackdoorCRITICALAll sectors (consumer/enterprise Windows)China-assessed (unconfirmed)Active2026-05-07 00:00 UTC
2CVE-2026-0300: PAN-OS RCE Zero-DayCRITICALAll sectors with Palo Alto firewallsUnattributedActive Exploitation2026-05-06 00:00 UTC
3Instructure / ShinyHunters BreachHIGHEducationShinyHunters (FIN)Claimed2026-05-08 00:00 UTC
4MuddyWater Teams Credential TheftHIGHGovernment, Defence, TechnologyMuddyWater / MANGO SANDSTORM (Iran)Active2026-05-06 12:00 UTC
5CVE-2026-32202: Windows NTLM Zero-ClickHIGHGovernment, Finance, Critical InfrastructureAPT28 / Fancy Bear (Russia)Active [UPDATED]2026-05-06 18:00 UTC
6CVE-2026-31431: Linux "Copy Fail" LPEHIGHCloud, Government, TechnologyMultiple threat actorsActive [UPDATED]2026-05-07 09:00 UTC
7QLNX (Quasar Linux RAT) / PyPI–npm Supply ChainHIGHDeveloper / DevOpsUnattributedActive [UPDATED]2026-05-05 00:00 UTC
8SHADOW-EARTH-053 China APT EspionageHIGHGovernment, Defence, MediaChina-aligned (SHADOW-EARTH-053)Active [UPDATED]2026-05-01 00:00 UTC

Campaign Deep-Dives

New Intelligence

1. DAEMON Tools Supply Chain Backdoor

Actor: Unattributed; Kaspersky assesses with moderate confidence a Chinese-speaking adversary based on artefact analysis.
Malware Family: Custom multi-protocol backdoor (QUIC-RAT).
First Observed: 2026-04-08 (trojanisation date); public disclosure 2026-05-05.
Source Timestamp: 2026-05-07 00:00 UTC (BleepingComputer / THN coverage entering coverage window).

Kaspersky researchers identified that official DAEMON Tools installers distributed from the vendor's legitimate website were backdoored between April 8 and approximately May 5, 2026, affecting versions 12.5.0.2421 through 12.5.0.2434. The infected installers were signed with valid DAEMON Tools digital certificates, bypassing standard code-signing trust controls. Telemetry recorded several thousand infection attempts across more than 100 countries, affecting both home users and enterprise environments.

The malware compromised three binaries installed to the main DAEMON Tools directory: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Once executed, the implant performs process injection into legitimate notepad.exe and conhost.exe processes to maintain stealth. Command-and-control is unusually resilient, supporting HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3 transport protocols. The C2 domain env-check.daemontools[.]cc was registered March 27, 2026 — roughly 12 days before the trojanisation began — suggesting deliberate pre-staging.

The campaign is significant because it weaponises implicit trust in a vendor's own software distribution channel and code-signing infrastructure. The wide multi-country footprint and choice of a consumer utility with enterprise penetration (virtual disk mounting) broadens the potential blast radius into enterprise networks where DAEMON Tools is deployed in imaging or lab workflows.

Vulnerabilities Exploited: No CVEs; exploitation of the vendor's own build/distribution pipeline (supply chain compromise).

TTPs (MITRE ATT&CK):

Observed Behaviours: Installation of trojanised DTHelper.exe / DiscSoftBusServiceLite.exe / DTShellHlp.exe; beaconing to env-check.daemontools[.]cc via HTTP GET; staging of payload at C:\Windows\Temp\envchk.exe; persistence artefact at %AppData%\Microsoft\mcrypto.dat; injection into notepad.exe and conhost.exe.

Malware Toolkit:

2. CVE-2026-0300: PAN-OS User-ID Authentication Portal RCE Zero-Day

Actor: Unattributed; exploitation assessed opportunistic at present.
Malware Family: Unknown post-exploitation tooling; root shell access reported.
First Observed: 2026-05-06 (public advisory and confirmed exploitation).
Source Timestamp: 2026-05-06 00:00 UTC (Palo Alto Networks advisory); 2026-05-07 (Help Net Security, THN, BleepingComputer — within window).

Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026, an unauthenticated buffer overflow (CWE-787: Out-of-Bounds Write) in the User-ID Authentication Portal (Captive Portal) service of PAN-OS. The vulnerability allows a remote unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending a specially crafted HTTP request with an overlong header value that overflows the stack and redirects execution to attacker-controlled shellcode.

Palo Alto confirmed limited in-the-wild exploitation on the same day of disclosure, indicating the vulnerability was identified in production environments before the advisory was published. Shodan queries as of the reporting date identified approximately 67 PAN-OS instances with the Authentication Portal exposed on port 6081 to the public internet. Patches are not expected until May 13 (earliest) with some branches not patched until May 28, making interim workarounds critical.

Affected versions span PAN-OS 10.2, 11.1, 11.2, and 12.1 branches. Prisma Access, Cloud NGFW, and Panorama are not affected. The vulnerability is automatable with no authentication prerequisite, placing it in the highest urgency tier for network defence.

Vulnerabilities Exploited: CVE-2026-0300 — Palo Alto PAN-OS, CVSS 9.3 — Unauthenticated buffer overflow in User-ID Authentication Portal enabling root RCE on PA-Series/VM-Series firewalls.

TTPs (MITRE ATT&CK):

Technical Mechanism:

  1. Attacker sends HTTP request to the User-ID Authentication Portal (default ports 6081/6082).
  2. The portal service processes the Authorization or related header without proper bounds checking.
  3. An overlong header value overflows a fixed-size stack buffer allocated within the request parsing function.
  4. The stack return address is overwritten with a pointer to attacker-controlled shellcode embedded in the request.
  5. On function return, shellcode executes with the privileges of the portal service process — which runs as root on PAN-OS.
  6. Post-exploitation: attacker establishes persistent access (SSH key injection, web shell) and pivots to connected network segments.

Observed Behaviours: Anomalous HTTP traffic to port 6081/6082 from untrusted IPs; unexpected root-level processes spawned from the portal service; new SSH authorized_keys entries on the device; unexpected outbound connections to unknown IPs post-compromise.

3. Instructure (Canvas LMS) Data Breach — ShinyHunters

Actor: ShinyHunters (financially motivated extortion group).
Malware Family: N/A (data theft / extortion).
First Observed: 2026-05-08 (breach claim made public).
Source Timestamp: 2026-05-08 00:00 UTC (BleepingComputer).

The ShinyHunters extortion group claimed responsibility for a breach of Instructure, the company behind the Canvas learning management system, alleging theft of approximately 280 million records associated with students and staff across 8,809 colleges, school districts, and online education platforms. If confirmed at scale, this would represent one of the largest single-incident exposures of student PII on record.

The nature of the data claimed includes names, email addresses, institutional identifiers, and potentially grade and enrollment records. Instructure has not yet issued a public statement confirming the breach scope. ShinyHunters previously executed large-scale data theft campaigns against Ticketmaster (2024) and multiple cloud-hosted platforms. Affected institutions should initiate immediate incident response, assess their Canvas API key exposure, and prepare for regulatory notification obligations under FERPA and applicable state privacy laws.

Vulnerabilities Exploited: Method of initial access not publicly confirmed at time of reporting.

TTPs (MITRE ATT&CK):

Updated Intelligence

This subsection contains intelligence first reported before the coverage window but materially updated within it. Each item is explicitly marked with its original and update timestamps.

4. MuddyWater — Microsoft Teams False Flag Ransomware Campaign

[UPDATED — first reported 2026-05-06, updated 2026-05-07 12:00 UTC with additional IOC detail and victim count]

What Changed: Additional victim reporting (36 organisations claimed on Chaos data leak site as of late May update cycle) and refined IOC detail (credential.txt / cred.txt artefact names, attacker MFA device additions) entered circulation within the coverage window via aggregator and MSSP reporting.

Actor: MuddyWater (aka Mango Sandstorm, Seedworm, Static Kitten) — Iran-affiliated, assessed with high confidence as aligned with Iranian Ministry of Intelligence and Security (MOIS).
Malware Family: Chaos ransomware (deployed as false flag); primary goal is credential theft and long-term persistence.
First Observed: 2026-Q1 (Rapid7 initial observation); public reporting 2026-05-06.
Source Timestamp: 2026-05-07 12:00 UTC (MSSP / aggregator updates within window).

MuddyWater conducted a sophisticated hybrid espionage operation using Microsoft Teams as the primary social-engineering vector. Attackers posed as IT helpdesk or Microsoft support personnel in Teams calls, utilised interactive screen-sharing to observe victim environments, and instructed victims to type their credentials into locally created text files named credentials.txt and cred.txt. Attackers simultaneously added attacker-controlled devices to victim MFA configurations to gain persistent authenticated access independent of the victim's future credential changes.

In a notable operational security deception, the group deployed Chaos ransomware as a "false flag" at the conclusion of intrusions — encrypting a small subset of files to mimic criminal ransomware actors and obscure the true intelligence-collection objective. Traditional encryption was deliberately limited; the primary artefacts were exfiltrated credential and session data.

Vulnerabilities Exploited: No CVEs exploited; attack relies entirely on social engineering and MFA manipulation.

TTPs (MITRE ATT&CK):

Observed Behaviours: Incoming Microsoft Teams calls from external tenants impersonating IT support; screen-sharing session initiated by attacker; victim prompted to create credentials.txt / cred.txt; new MFA device registration from unrecognised location; Chaos ransomware execution as final-stage distraction.

5. CVE-2026-32202 — Windows NTLM Zero-Click Hash Theft (APT28)

[UPDATED — first reported 2026-04-14 (patch release), updated 2026-05-06 18:00 UTC — CISA added to KEV and ordered federal agencies to patch by May 12, 2026]

What Changed: CISA added CVE-2026-32202 to the Known Exploited Vulnerabilities catalog and issued a binding operational directive requiring all FCEB agencies to apply the April 2026 Patch Tuesday update by May 12, 2026. BleepingComputer confirmed the CISA KEV addition on May 6, 2026.

Actor: APT28 (Fancy Bear, Forest Blizzard) — Russia GRU-affiliated, assessed with high confidence.
Malware Family: No bespoke malware required; Net-NTLMv2 hash relay and cracking attack chain.
First Observed: 2026-01 (APT28 exploitation of predecessor CVE-2026-21510); CVE-2026-32202 patched 2026-04-14.
Source Timestamp: 2026-05-06 18:00 UTC (BleepingComputer CISA KEV article).

CVE-2026-32202 is a zero-click Windows Shell vulnerability enabling NTLM authentication coercion. When a victim's file explorer renders a directory containing a malicious .cpl file (or similar Shell handler object) referencing a UNC path such as \\attacker.com\share\payload.cpl, Windows initiates an automatic SMB connection to the attacker-controlled server. This triggers an automatic NTLM authentication handshake, transmitting the victim's Net-NTLMv2 hash to the attacker without any user click or interaction beyond directory navigation.

The vulnerability is a bypass of the incomplete patch for CVE-2026-21510, the original APT28 zero-day discovered by Akamai researchers in January 2026. APT28 has been observed using this technique in campaigns targeting Ukraine and European Union member-state government networks.

TTPs (MITRE ATT&CK):

6. CVE-2026-31431 — Linux Kernel "Copy Fail" Local Privilege Escalation

[UPDATED — first reported 2026-05-01 (CISA KEV addition), updated 2026-05-07 09:00 UTC — CISA confirmed active exploitation in wild via BleepingComputer advisory]

What Changed: CISA issued updated exploitation confirmation on May 7, specifying that the vulnerability is being actively used in cloud and Kubernetes environments. The existing May 15 federal remediation deadline remains in force.

Actor: Multiple threat actors; exploitation observed in cloud environments (specific attribution not confirmed).
First Observed: 2026-05-01 (CISA KEV addition); active exploitation confirmed 2026-05-07.
Source Timestamp: 2026-05-07 09:00 UTC (BleepingComputer CISA warning article).

CVE-2026-31431 (CWE-699: Incorrect Resource Transfer Between Spheres) affects every major Linux distribution running kernels compiled since 2017, including Ubuntu 24.04 LTS, Amazon Linux 2023, Red Hat Enterprise Linux 10.1, SUSE 16, Debian, Fedora, and Arch Linux. A 732-byte Python script — demonstrably simple to weaponise — allows any unprivileged local user to reliably obtain root. Microsoft's security blog documented exploitation across cloud environments and Kubernetes workloads where multi-tenant isolation relies on Linux namespace boundaries that this vulnerability undermines.

Vulnerabilities Exploited: CVE-2026-31431 — Linux Kernel — Local privilege escalation (LPE) via kernel incorrect resource transfer; CVSS 7.8 (High); CISA KEV deadline May 15, 2026.

TTPs (MITRE ATT&CK):

7. QLNX (Quasar Linux RAT) — PyPI/npm Credential Theft Supply Chain

[UPDATED — first reported 2026-05-05 (Trend Micro / GBHackers disclosure), updated 2026-05-07 00:00 UTC — Rankiteo and CybersecurityNews provided additional IOCs and expanded package list]

What Changed: Additional PyPI and npm package names associated with QLNX distribution were published by Rankiteo and CybersecurityNews within the coverage window, expanding the known malicious package inventory.

Actor: Unattributed; QLNX infrastructure suggests a sophisticated, persistent adversary targeting the developer ecosystem.
Malware Family: Quasar Linux (QLNX) — full-featured Linux RAT with rootkit, PAM backdoor, and credential-harvesting modules.
First Observed: 2026-05-05 (Trend Micro disclosure).
Source Timestamp: 2026-05-07 00:00 UTC (updated IOC reporting within window).

QLNX is a sophisticated Linux implant designed to target developer and DevOps workstations. Once installed (via a malicious PyPI or npm package), it establishes persistent access through a dual-layer stealth mechanism: a userland LD_PRELOAD rootkit hooking libc functions to hide files, processes, and network connections, and a kernel-level eBPF component for deeper visibility suppression. The malware dynamically compiles rootkit shared objects and PAM backdoor modules on the target host using the system's installed gcc, avoiding pre-compiled binaries that might trigger static AV detection.

QLNX executes fileless from memory — it copies itself into RAM, deletes the on-disk binary, and re-executes from the memory copy — leaving minimal forensic trace. Its primary mission is credential harvesting targeting files central to software development and cloud infrastructure: .npmrc (NPM registry tokens), .pypirc (PyPI upload keys), .git-credentials, .aws/credentials, .kube/config, and .docker/config.json. A single compromised developer workstation can enable the attacker to publish trojanised packages to NPM or PyPI, inject backdoors into container images, or pivot from a personal laptop into production cloud environments.

TTPs (MITRE ATT&CK):

Malware Toolkit:

8. SHADOW-EARTH-053 — China-Aligned Espionage Against Asian Governments and NATO

[UPDATED — first reported 2026-05-01 (Trend Micro / THN), updated 2026-05-07 00:00 UTC — additional country targets and network infrastructure IOCs published by GuardianMSSP within window]

What Changed: Additional targeted country confirmation (Pakistan and Poland added to target list) and supplementary network infrastructure indicators (ShadowPad C2 IP ranges) published by MSSP aggregators within the coverage window.

Actor: SHADOW-EARTH-053 (Trend Micro tracking designation); assessed with moderate confidence to be China-aligned; infrastructure and tooling overlaps with Earth Alux, CL-STA-0049, and REF7707.
Malware Family: ShadowPad, Noodle RAT variants, Godzilla web shell.
First Observed: 2024-12 (earliest assessed activity); public disclosure 2026-05-01.
Source Timestamp: 2026-05-07 00:00 UTC (aggregator updates within window).

SHADOW-EARTH-053 is a China-aligned threat cluster conducting targeted espionage against government, defence, and media entities across South, East, and Southeast Asia, and at least one European NATO member state. The group exploits N-day vulnerabilities in internet-facing Microsoft Exchange and IIS servers (notably the ProxyLogon chain) to gain initial access, then deploys Godzilla web shells for persistent foothold. ShadowPad — a modular post-exploitation framework widely shared across China-linked actor clusters — is delivered via DLL sideloading using legitimate, signed executables as carriers. Lateral movement tooling includes IOX, GOST, Wstunnel, and RingQ for tunnelling and proxy capabilities.

Confirmed target countries include India, Thailand, Malaysia, Myanmar, Sri Lanka, Taiwan, Pakistan, and Poland. The inclusion of a NATO state (Poland) alongside multiple South and Southeast Asian governments underscores the breadth of China's intelligence collection priorities and the risk to defence and diplomatic institutions globally.

Vulnerabilities Exploited: ProxyLogon chain (CVE-2021-26855, CVE-2021-27065 etc.) — Microsoft Exchange — Server-side request forgery + arbitrary file write; N-day exploitation of unpatched legacy deployments.

TTPs (MITRE ATT&CK):

IOC Pack

IOC validity note: IOCs in this pack are sourced from content published or updated within the coverage window (2026-05-07 00:00 UTC to 2026-05-08 23:59 UTC). Operational TTL is 7–14 days from first observation.

New IOCs (first observed in this coverage window)

Network IOCs — IPs and Domains

TypeValueCampaignNotes
Domainenv-check.daemontools[.]ccDAEMON Tools Supply ChainQUIC-RAT C2; registered 2026-03-27; defanged
IP38.180.107[.]76DAEMON Tools Supply ChainC2 server IP; defanged
Port6081, 6082 (inbound)CVE-2026-0300 PAN-OSUser-ID Authentication Portal exposure indicator

File / Package IOCs

TypeValueCampaignNotes
Windows installerDAEMON Tools Lite 12.5.0.2421 – 12.5.0.2434DAEMON Tools Supply ChainOfficial website distribution; signed with legitimate cert; treat as compromised
PyPI / npmPer Trend Micro IOC listQLNX Supply ChainMultiple packages; names in vendor advisory

CVEs — Actively Exploited in the Wild (first confirmed this window)

CVECVSSProductExploited ByCISA KEVPatch Deadline
CVE-2026-03009.3Palo Alto PAN-OS (PA-Series, VM-Series)Unattributed opportunisticNot yet addedPatch ETA: 2026-05-13 to 2026-05-28

Behavioural IOCs / Suspicious Artefacts

TypeValueCampaignNotes
File pathC:\Windows\Temp\envchk.exeDAEMON Tools Supply ChainStaged dropper written by trojanised installer
File path%AppData%\Microsoft\mcrypto.datDAEMON Tools Supply ChainQUIC-RAT persistence artefact
Processnotepad.exe with unusual parent (DTHelper.exe)DAEMON Tools Supply ChainInjection target
Processconhost.exe with unusual parent (DTHelper.exe)DAEMON Tools Supply ChainInjection target
File path/etc/ld.so.preload (unexpected entries)QLNX Supply ChainLD_PRELOAD rootkit persistence
ProcessUnexpected gcc compilation on developer workstationQLNX Supply ChainRootkit module compilation
File path/etc/pam.d/pam_security.so (or similar name)QLNX Supply ChainPAM backdoor module
UNC pattern\\<external-ip>\<share>\*.cpl in Shell handlerCVE-2026-32202NTLM coercion trigger
File pathcredentials.txt or cred.txt in user home directoryMuddyWater TeamsCredential exfiltration artefact — attacker-instructed
Outbound port445 (SMB) to external IPsCVE-2026-32202NTLM hash leak indicator
DNS queryenv-check.daemontools[.]ccDAEMON Tools Supply ChainC2 beacon; should never appear in enterprise DNS

KQL Hunting Queries

// HUNT-01: DAEMON Tools QUIC-RAT C2 beacon to daemontools[.]cc | Covers: DAEMON Tools Supply Chain | MITRE: T1071
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "daemontools.cc"
   or RemoteIP == "38.180.107.76"
| project Timestamp, DeviceName, InitiatingProcessFileName,
          InitiatingProcessParentFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
// HUNT-02: Suspicious process injection from DAEMON Tools binaries | Covers: DAEMON Tools Supply Chain | MITRE: T1055.012
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("DTHelper.exe", "DiscSoftBusServiceLite.exe", "DTShellHlp.exe")
   and FileName in~ ("notepad.exe", "conhost.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName,
          ProcessCommandLine, InitiatingProcessParentFileName
| order by Timestamp desc
// HUNT-03: Anomalous envchk.exe or mcrypto.dat artefacts | Covers: DAEMON Tools Supply Chain | MITRE: T1195.002
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (@"C:\Windows\Temp\envchk.exe", @"Microsoft\mcrypto.dat")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
// HUNT-04: Outbound SMB to external IPs (NTLM coercion / CVE-2026-32202) | Covers: CVE-2026-32202 | MITRE: T1187
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
   and not (RemoteIPType == "Private")
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc
// HUNT-05: Credential text file creation via Teams social engineering | Covers: MuddyWater Teams | MITRE: T1056.001
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ ("credentials.txt", "cred.txt")
| project Timestamp, DeviceName, ActionType, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessParentFileName
| order by Timestamp desc
// HUNT-06: New MFA device registration from untrusted location | Covers: MuddyWater Teams | MITRE: T1098.005
// Note: Run in Microsoft Entra ID / Azure AD audit logs (AuditLogs table in Sentinel)
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName == "Register security info"
   or OperationName has "Add registered users"
| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend IPAddress = tostring(parse_json(tostring(AdditionalDetails)).ipAddress)
| project TimeGenerated, UserPrincipalName, OperationName, IPAddress, Result
| order by TimeGenerated desc
// HUNT-07: Linux kernel privilege escalation via CVE-2026-31431 — Python exploit script execution | Covers: CVE-2026-31431 | MITRE: T1068
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName == "python3" or FileName == "python"
| where ProcessCommandLine has_any ("copy_fail", "31431", "/proc/self/mem", "privesc")
| project Timestamp, DeviceName, AccountName, FileName,
          ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
// HUNT-08: PAN-OS exploitation probe — anomalous traffic to ports 6081/6082 | Covers: CVE-2026-0300 | MITRE: T1190
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (6081, 6082)
| where not (RemoteIPType == "Private")
| project Timestamp, DeviceName, RemoteIP, RemotePort,
          InitiatingProcessFileName, LocalIP
| order by Timestamp desc

KQL Detection Rules (High Fidelity)

Rationale for DET-01: The domain env-check.daemontools[.]cc has no legitimate software purpose. Any DNS resolution or network connection to this domain represents a high-confidence DAEMON Tools QUIC-RAT C2 beacon. Legitimate DAEMON Tools software connects to disc-soft.com and related vendor infrastructure only.

// DET-01: DAEMON Tools QUIC-RAT C2 Beacon | MITRE: T1071 | Severity: CRITICAL
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has "daemontools.cc"
   or RemoteIP == "38.180.107.76"
| extend AlertTitle = "DAEMON Tools QUIC-RAT C2 Beacon Detected"
| extend Severity = "Critical"
| extend MITRETechnique = "T1071 - Application Layer Protocol"
| extend RecommendedAction = "Isolate the endpoint immediately. Collect memory dump and disk image. Verify DAEMON Tools version — if 12.5.0.2421-12.5.0.2434, treat as confirmed compromise. Rotate all credentials on the device including npm, PyPI, AWS, and Git tokens. Update to DAEMON Tools 12.6."
| project Timestamp, AlertTitle, Severity, MITRETechnique,
          DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP,
          RecommendedAction
| order by Timestamp desc

Rationale for DET-02: DTHelper.exe and related DAEMON Tools binaries have no legitimate reason to spawn or inject into notepad.exe or conhost.exe. This parent-child relationship is a direct indicator of the known injection technique used by the DAEMON Tools QUIC-RAT. False positives from legitimate DAEMON Tools operation are not expected.

// DET-02: DAEMON Tools Binary Spawning Injection Target | MITRE: T1055.012 | Severity: CRITICAL
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("DTHelper.exe", "DiscSoftBusServiceLite.exe", "DTShellHlp.exe")
   and FileName in~ ("notepad.exe", "conhost.exe")
| extend AlertTitle = "DAEMON Tools Binary Injecting into notepad.exe/conhost.exe"
| extend Severity = "Critical"
| extend MITRETechnique = "T1055.012 - Process Hollowing"
| extend RecommendedAction = "Isolate endpoint. Confirm DAEMON Tools version is in the compromised range (12.5.0.2421-12.5.0.2434). Initiate full IR playbook. Treat all stored developer credentials as compromised."
| project Timestamp, AlertTitle, Severity, MITRETechnique,
          DeviceName, InitiatingProcessFileName, FileName,
          ProcessCommandLine, RecommendedAction
| order by Timestamp desc

Rationale for DET-03: Outbound SMB connections (port 445) to public internet IP addresses are almost always malicious. Legitimate SMB traffic is confined to internal RFC1918 space. Any outbound port-445 connection to a public IP is a strong indicator of NTLM coercion exploitation (CVE-2026-32202) or credential relay attack. Allowlist known exceptions such as Azure File Storage IPs if in use.

// DET-03: Outbound SMB to Public Internet (NTLM Hash Coercion) | MITRE: T1187 | Severity: HIGH
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 445
   and RemoteIPType != "Private"
| extend AlertTitle = "Outbound SMB to Public Internet — Possible NTLM Coercion (CVE-2026-32202)"
| extend Severity = "High"
| extend MITRETechnique = "T1187 - Forced Authentication"
| extend RecommendedAction = "Block the outbound SMB connection at the perimeter firewall. Confirm Windows April 2026 Patch Tuesday is applied (patches CVE-2026-32202). Rotate the NTLM credentials of the affected account — treat hash as compromised. Review if the endpoint accessed a UNC-path-referencing file in the minutes prior."
| project Timestamp, AlertTitle, Severity, MITRETechnique,
          DeviceName, LocalIP, RemoteIP, RemotePort,
          InitiatingProcessFileName, RecommendedAction
| order by Timestamp desc

Rationale for DET-04: The file credentials.txt or cred.txt in a user's profile directory is a direct behavioural artefact of the MuddyWater Teams social engineering campaign where attackers instruct victims to type credentials into text files. No legitimate enterprise workflow creates plaintext credential files by this name.

// DET-04: Plaintext Credential File Created (MuddyWater Teams TTP) | MITRE: T1056.001 | Severity: HIGH
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName in~ ("credentials.txt", "cred.txt")
   and ActionType == "FileCreated"
| extend AlertTitle = "Plaintext Credential File Created — Possible MuddyWater Social Engineering"
| extend Severity = "High"
| extend MITRETechnique = "T1056.001 - Input Capture: Keylogging"
| extend RecommendedAction = "Contact the user immediately to determine if they were on a Microsoft Teams call with an external party. Rotate all credentials the user may have typed into the file. Review Teams call logs for external tenant contacts. Check for new MFA device registrations on the account."
| project Timestamp, AlertTitle, Severity, MITRETechnique,
          DeviceName, FileName, FolderPath,
          InitiatingProcessFileName, RecommendedAction
| order by Timestamp desc

Mitigation Priorities

Patch (actively exploited — act now):

  1. April 2026 Patch Tuesday — CVE-2026-32202 — Windows (all supported versions): Apply the April 14, 2026 cumulative update to all Windows endpoints and servers. CISA mandatory federal deadline is May 12, 2026. Access via Windows Update / WSUS / Intune. Priority: domain controllers and endpoints with high-privilege user populations.
  2. Linux Kernel — CVE-2026-31431 — All Linux distributions (kernel built since 2017): Upgrade to kernel version 6.18.22, 6.19.12, or 7.0+. For distributions with vendor kernels (Ubuntu 24.04, RHEL 10.1, Amazon Linux 2023, SUSE 16, Debian, Fedora): apply the distribution-specific kernel package update via apt/dnf/yum. CISA mandatory federal deadline is May 15, 2026. Priority: cloud instances, Kubernetes nodes, shared multi-tenant Linux environments.
  3. DAEMON Tools — All versions 12.5.0.2421 through 12.5.0.2434 — Windows: Update to DAEMON Tools Lite 12.6 (released 2026-05-05, confirmed clean). Do not merely uninstall the old version — treat the filesystem as potentially compromised and hunt for envchk.exe, mcrypto.dat, and anomalous processes before clean reinstall.

Network hardening:

Microsoft Teams / Identity:

Developer / Supply Chain:

Awareness / Process:

Sources