← Back to Cybersecurity News Center
Severity
HIGH
CVSS
9.5
Priority
0.725
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Threat actors compromised the official DAEMON Tools distribution channel beginning April 8, 2026 (discovered approximately one month later in early May 2026), embedding a multi-stage backdoor into digitally signed installers across versions 12.5.0.2421 through 12.5.0.2434. The campaign exploited code-signing trust to bypass security controls, with second-stage payloads selectively deployed against government, scientific, retail, and manufacturing organizations, primarily in Russia, Belarus, and Thailand, though infections reached over 100 countries. Any organization that installed DAEMON Tools during this window faces potential system compromise, data exfiltration, and persistent backdoor access; the campaign was discovered after approximately one month of undetected activity.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unknown — Chinese-speaking, unattributed as of 2026-05-05
TTP Sophistication
HIGH
14 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe)
Are You Exposed?
⚠
Your industry is targeted by Unknown — Chinese-speaking, unattributed as of 2026-05-05 → Heightened risk
⚠
You use products/services from DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 (DTHelper.exe → Assess exposure
⚠
14 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Any organization that installed DAEMON Tools during the affected window may have given a sophisticated threat actor persistent, hidden access to internal systems — access that went undetected for approximately one month. For government and regulated-industry organizations in scope, the risk includes sensitive data exfiltration, operational disruption from backdoor-enabled follow-on actions, and potential regulatory exposure if compromised systems handled protected data. The selective, high-value targeting pattern indicates this actor is not opportunistic — organizations that received second-stage payloads were chosen, which means impact assessment requires forensic confirmation, not just version checking.
You Are Affected If
You installed DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 on any system between April 8, 2026 and the date of detection
The installer was obtained from the official DAEMON Tools distribution channel during the compromised window
Affected binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) executed on endpoints with access to sensitive internal networks or data
Your organization operates in government, scientific research, retail, or manufacturing sectors — sectors specifically targeted for second-stage payload delivery
You have not yet audited systems for indicators published by Kaspersky Securelist following this campaign's disclosure
Board Talking Points
A trusted, widely-used software tool was secretly modified to install a backdoor — any organization that downloaded it during a one-month window may have an attacker inside their systems right now.
IT and security teams should immediately check whether affected versions were installed and initiate forensic review on any systems where they were found — this should be completed within 48 hours.
Organizations that take no action risk leaving an active, undetected backdoor in place, which could enable data theft, operational disruption, or further network compromise.
Technical Analysis
Threat actors compromised the official DAEMON Tools distribution channel to deliver trojanized installers carrying a multi-stage backdoor.
Affected versions: 12.5.0.2421 through 12.5.0.2434.
Malicious components embedded in DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
The attack exploited three weaknesses: CWE-693 (protection mechanism failure via trusted code-signing bypass), CWE-506 (embedded malicious code), and CWE-494 (download without integrity verification). MITRE ATT&CK coverage spans the full intrusion chain, initial access via compromised supply chain (T1195.002 ), signed binary proxy execution (T1553.002 ), obfuscated files (T1027 , T1140 ), persistence via registry run keys (T1547.001 ), process injection (T1055 ), command execution (T1059 ), system and network discovery (T1082 , T1016 ), non-application layer C2 (T1095 ), standard application layer C2 (T1071 ), ingress tool transfer (T1105 ), masquerading (T1036 ), and process discovery (T1057 ). Second-stage payloads were selectively deployed only to high-value targets, suggesting active operator triage. Threat actor attribution remains unconfirmed as of 2026-05-05. Linguistic and operational indicators suggest possible Chinese-speaking operators, but confidence is insufficient for formal attribution. No CVE assigned. No vendor patch advisory confirmed at time of reporting. Campaign undetected for approximately one month.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to senior leadership, legal counsel, and relevant ISAC (e.g., MS-ISAC or sector-specific) immediately if any system confirmed to have received the second-stage payload stores PII, PHI, classified information, OT/ICS connectivity, or government contract data, as the selective targeting of government and scientific organizations in this campaign and the CVSS 9.5 rating indicate a high likelihood of data exfiltration objectives that may trigger breach notification obligations.
1
Step 1: Containment, Immediately identify all systems where DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 were installed between April 8, 2026 and the date of discovery. Isolate those endpoints from the network pending investigation. Block execution of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe from the affected version range via application control policies.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST CM-7 (Least Functionality)
NIST SI-3 (Malicious Code Protection)
CIS 2.3 (Address Unauthorized Software)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
Use 'Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*DAEMON Tools*"}' across endpoints via PSRemoting to enumerate installs. Cross-reference install timestamps against April 8, 2026 using 'Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' for InstallDate fields. Block the three binaries via Windows Defender Application Control (WDAC) WDAC policy or Software Restriction Policies using their known paths: '%ProgramFiles%\DAEMON Tools Lite\DTHelper.exe', 'DiscSoftBusServiceLite.exe', and 'DTShellHlp.exe'. Isolate affected hosts using a host-based firewall rule: 'netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound' until investigated.
Preserve Evidence
Before isolating, capture: full memory dump using ProcDump or WinPmem ('winpmem_mini_x64.exe memdump.raw') to preserve any in-memory second-stage payload resident in DTHelper.exe or DiscSoftBusServiceLite.exe process space; Windows Prefetch files at '%SystemRoot%\Prefetch\DTHELPER.EXE-*.pf' and equivalents for the other two binaries to establish first and last execution timestamps; installer file hash ('Get-FileHash -Algorithm SHA256 <installer_path>') compared against known-bad hashes from the Kaspersky/Securelist advisory; and current active network connections from affected processes ('Get-NetTCPConnection | Where-Object {$_.OwningProcess -in (Get-Process DTHelper,DiscSoftBusServiceLite,DTShellHlp).Id}') before network isolation severs C2 visibility.
2
Step 2: Detection, Query endpoint telemetry and EDR for process creation events involving DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe originating from DAEMON Tools installer directories. Hunt for T1547.001 persistence artifacts: new or modified HKCU\Software\Microsoft\Windows\CurrentVersion\Run and HKLM equivalents created in the April 8 to present timeframe. Look for anomalous outbound connections (T1095, T1071) from DAEMON Tools process trees. Consult Securelist for published IOCs including file hashes and C2 indicators (search-retrieved resource - validate URL before use).
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Deploy Sysmon with a config that captures Event ID 1 (Process Create), Event ID 3 (Network Connection), Event ID 11 (File Create), and Event ID 13 (Registry Value Set). Query Sysmon operational log: 'Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object {$_.Message -match "DTHelper|DiscSoftBusServiceLite|DTShellHlp"}'. For T1547.001 registry persistence, run: 'reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run' and 'reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' and filter entries with timestamps post-April 8, 2026 using 'reg query' combined with autoruns.exe (Sysinternals) with '/accepteula /a /c /h /s' to export and diff against a known-good baseline. For C2 hunting (T1095/T1071) without EDR, capture 10-minute pcap per suspect host using 'tshark -i <interface> -w daemontools_suspect.pcap -f "host <suspect_ip>"' and filter for non-browser processes making HTTP/S or raw TCP connections. Write a YARA rule targeting the trojanized installer by hashing DTHelper.exe from the affected version range and scanning with 'yara64.exe rule.yar C:\Program Files\DAEMON Tools Lite\'.
Preserve Evidence
Query Windows Security Event Log for Event ID 4688 (Process Creation) filtering on parent processes matching DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe to identify any child processes spawned by the backdoor — unexpected cmd.exe, powershell.exe, or rundll32.exe children are high-fidelity indicators. Export Sysmon Event ID 13 (Registry Value Set) entries targeting 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' with timestamps between April 8, 2026 and discovery date. Extract Windows DNS Client Event Log (Microsoft-Windows-DNS-Client/Operational) for resolution of domains made by DAEMON Tools process PIDs — this campaign's C2 infrastructure would appear as DNS queries from the DTHelper.exe process space. Collect Sysmon Event ID 3 (Network Connection) records for outbound connections initiated by any of the three affected binaries, noting destination IP, port, and protocol to identify T1095 (non-application-layer protocol) or T1071 (application-layer protocol) C2 channels.
3
Step 3: Eradication, Uninstall affected DAEMON Tools versions (12.5.0.2421-12.5.0.2434) on all identified systems. Do not reinstall from cached or previously downloaded installers. Verify any replacement installer hash against a clean, post-incident release from the vendor before deploying. Remove persistence registry entries identified during detection. Terminate and remove any secondary payloads identified through EDR forensics.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-7 (Least Functionality)
NIST IR-4 (Incident Handling)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 2.3 (Address Unauthorized Software)
CIS 7.3 (Perform Automated Operating System Patch Management)
Compensating Control
Uninstall via 'wmic product where name="DAEMON Tools Lite" call uninstall /nointeractive' and confirm removal with 'Get-WmiObject Win32_Product | Where-Object {$_.Name -like "*DAEMON*"}'. Verify no DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe binaries remain under '%ProgramFiles%', '%ProgramFiles(x86)%', '%AppData%', or '%Temp%' using 'Get-ChildItem -Path C:\ -Recurse -Filter "DTHelper.exe" -ErrorAction SilentlyContinue'. Before deploying any replacement installer, compute SHA-256 ('certutil -hashfile <installer.exe> SHA256') and compare against the vendor-published hash from the official Disc Soft release announcement post-April 8, 2026 incident — do not trust any installer downloaded prior to vendor confirmation of a clean build. Remove identified Run key persistence entries with 'reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v <malicious_entry_name> /f'. For second-stage payloads identified in memory or on disk, use ClamAV ('clamscan -r --remove=yes C:\ --log=clamscan_output.txt') as a secondary sweep after manual removal.
Preserve Evidence
Before uninstalling, image the full installer binary ('DTSetup.exe' or equivalent) from its download cache location — typically '%UserProfile%\Downloads\' or '%Temp%\' — and preserve SHA-256 hash as evidence of the trojanized version. Capture the complete registry export of both Run key hives ('reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Run run_hkcu_pre_eradication.reg') prior to deletion to document persistence mechanisms. Enumerate and hash all files dropped by the secondary payload in '%AppData%\Roaming\', '%ProgramData%\', and any scheduled task XML files under '%SystemRoot%\System32\Tasks\' that were created or modified after April 8, 2026, as the multi-stage backdoor would have staged additional components in these locations. Document all active scheduled tasks ('schtasks /query /fo LIST /v > scheduled_tasks_pre_eradication.txt') before removal.
4
Step 4: Recovery, Reimage or perform full forensic validation on any system confirmed to have received a second-stage payload before returning to production. On systems where only the trojanized installer was present but no second-stage activity is confirmed, validate clean state via EDR and integrity tooling before reconnecting. Monitor for re-establishment of C2 channels (T1095, T1071) and reappearance of registry persistence (T1547.001) for a minimum of 30 days post-remediation.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CP-10 (System Recovery and Reconstitution)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For systems requiring forensic validation rather than reimage, run Sysinternals Autoruns ('autorunsc.exe -a * -c -h -s -user * > autoruns_post_eradication.csv') and diff against a known-good baseline to confirm no residual T1547.001 persistence. Validate binary integrity of OS system files using 'sfc /scannow' and 'DISM /Online /Cleanup-Image /RestoreHealth'. For 30-day post-remediation monitoring without EDR, schedule a daily Sysmon log export and PowerShell script to alert on any new Run key entries or outbound connections from DAEMON Tools install paths: 'Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational -FilterXPath "*[System[EventID=13] and EventData[Data[@Name=\'TargetObject\'] and contains(.,\'CurrentVersion\\Run\')]]]"'. Deploy a YARA rule scanning '%AppData%', '%ProgramData%', and '%Temp%' weekly for second-stage payload signatures derived from Kaspersky IOCs.
Preserve Evidence
Capture a post-eradication memory dump on any system that received a confirmed second-stage payload, using WinPmem, to verify no resident implant survives in process space before reconnection. Run 'netstat -anob > netstat_post_recovery.txt' at reconnection and at 24-hour intervals for the first week to detect any re-establishment of C2 channels characteristic of this campaign's T1095/T1071 infrastructure. Preserve Windows Event Log archives (Security, System, Sysmon Operational) from the full April 8, 2026 through remediation window as chain-of-custody evidence — export with 'wevtutil epl Security Security_archive.evtx' — before log rotation discards them.
5
Step 5: Post-Incident, This campaign exposed a control gap in software supply chain verification (CWE-494). Implement or audit software allowlisting policies that validate installer hashes prior to execution. Evaluate whether your procurement process enforces integrity verification for third-party utilities, including those with valid code-signing certificates. Review privileged system inventories for non-essential utilities like disk imaging tools and consider restricting installation to approved, internally mirrored repositories.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SA-12 (Supply Chain Protection)
NIST CM-7 (Least Functionality)
NIST IR-4 (Incident Handling)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Establish an internally mirrored software repository (Nexus Repository OSS is free) for approved third-party utilities including disk imaging tools, and enforce downloads exclusively from the mirror. Implement a pre-execution hash verification script: 'certutil -hashfile <installer.exe> SHA256' compared against a manually curated allowlist CSV maintained by the security team. Configure WDAC or AppLocker to block any executable not matching a known-good publisher certificate AND hash — this directly addresses the attack vector here, where a valid Disc Soft certificate was abused, meaning certificate trust alone is insufficient and hash pinning is required. Add a Sigma rule (free, community-supported) for Sysmon that alerts on any new installer execution from '%UserProfile%\Downloads\' or '%Temp%\' matching DAEMON Tools naming patterns. Document the procurement gap in the lessons-learned report and require the IT procurement policy to mandate SHA-256 hash verification against vendor-published values for all new third-party utility installations.
Preserve Evidence
Produce a full timeline of installer distribution and execution across the environment — correlate Software Inventory logs, Windows Installer Event Log (Event ID 1040/1042 in Application log), and deployment system records (SCCM/Intune if available, or manual PSRemoting query results) to establish scope of exposure for the lessons-learned report. Document the code-signing certificate serial number from the trojanized DTHelper.exe ('sigcheck.exe -i DTHelper.exe') to inform future certificate-pinning and allowlisting policies and to share as an IOC with ISACs or CISA if applicable. Archive all forensic artifacts — memory dumps, registry exports, pcap files, Sysmon logs, and hashes — with chain-of-custody documentation per NIST IR-4 (Incident Handling) requirements before case closure.
Recovery Guidance
Systems with confirmed second-stage payload delivery must be fully reimaged from known-good media — forensic validation alone is insufficient given the multi-stage backdoor architecture, which may establish persistence mechanisms beyond the initial Run key entries. Post-reimage, re-enroll systems into endpoint monitoring and validate Sysmon telemetry is flowing before reconnecting to production segments. Maintain active monitoring for C2 re-establishment and T1547.001 registry persistence re-creation for a minimum of 30 days, as this campaign's selective deployment pattern suggests threat actors may retain knowledge of high-value targets and attempt re-infection through alternative vectors.
Key Forensic Artifacts
Trojanized installer binary on disk — typically retained in '%UserProfile%\Downloads\' or software deployment cache — SHA-256 hash must be collected and compared against Kaspersky-published IOC hashes for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe from versions 12.5.0.2421–12.5.0.2434; the valid Disc Soft code-signing certificate on a malicious binary is itself a high-fidelity artifact of this specific supply-chain attack
Windows Prefetch files at '%SystemRoot%\Prefetch\' for DTHELPER.EXE, DISCSOFTBUSSERVICELITE.EXE, and DTSHELLHLP.EXE — prefetch timestamps establish first and last execution dates critical to scoping the infection window relative to the April 8, 2026 campaign start date
Sysmon Event ID 13 (Registry Value Set) and Windows Security Event ID 4657 (Registry Value Modified) entries in 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' and 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' created or modified between April 8, 2026 and discovery — these represent the T1547.001 persistence artifacts left by the backdoor's second stage
Network traffic pcap or Sysmon Event ID 3 (Network Connection) records showing outbound connections from DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe process trees — destination IPs, domains, ports, and protocols are the primary C2 infrastructure artifacts for this campaign (T1095/T1071) and required for IOC sharing and firewall blocking
Second-stage payload files dropped to '%AppData%\Roaming\', '%ProgramData%\', or '%Temp%\ 'by the backdoor post-installer execution — collect full file metadata (path, SHA-256, creation timestamp, owner) and any associated scheduled task XML files under '%SystemRoot%\System32\Tasks\' created after April 8, 2026, which represent the multi-stage persistence and execution infrastructure beyond the initial Run key
Detection Guidance
Primary hunt targets: process trees spawned by DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in DAEMON Tools version directories installed between April 8, 2026 and present.
Look for child process creation (T1059 ), injection into other processes (T1055 ), and outbound network connections (T1071 , T1095 ) originating from these binaries.
Check for registry modifications under HKCU and HKLM run keys (T1547.001 ) timestamped to the installation window.
Query file system for dropped executables in temp or appdata paths created shortly after DAEMON Tools installer execution. Review DNS and proxy logs for anomalous domains contacted by DAEMON Tools process trees. Kaspersky's Securelist published technical indicators for this campaign; consult https://securelist.com/tr/daemon-tools-backdoor/119654/ for current IOC sets including file hashes and C2 infrastructure (search-retrieved URL; validate before use). SIEM rule tuning should prioritize detection of masquerading (T1036 ) and obfuscated payload execution (T1027 , T1140 ) in the context of trusted installer processes.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
1 hash
1 domain
1 url
Type Value Enrichment Context Conf.
# HASH
[See Securelist publication for confirmed file hashes — not reproduced here to avoid transcription error]
VT
MB
Malicious DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe from affected installer versions 12.5.0.2421–12.5.0.2434
HIGH
⌘ DOMAIN
[See Securelist publication for confirmed C2 domains]
VT
US
Command-and-control infrastructure used by the backdoor for non-application and application layer C2 (T1095, T1071)
HIGH
🔗 URL
https://securelist.com/tr/daemon-tools-backdoor/119654/
VT
US
Kaspersky Securelist primary technical analysis — source for confirmed IOCs including hashes and C2 indicators. Search-retrieved URL — validate before use.
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Signed DAEMON Tools Installers Weaponized in Ongoing Supply-Chain Campaign Targe
let malicious_urls = dynamic(["https://securelist.com/tr/daemon-tools-backdoor/119654/"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (7)
Sentinel rule: Process injection / hollowing
KQL Query Preview
Read-only — detection query only
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType in ("CreateRemoteThreadApiCall", "QueueUserApcRemoteApiCall", "WriteToLsassProcessMemory", "NtAllocateVirtualMemoryApiCall", "NtMapViewOfSectionRemoteApiCall")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ActionType
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[See Securelist publication for confirmed C2 domains]",
"source": "SCC Threat Intel",
"description": "Command-and-control infrastructure used by the backdoor for non-application and application layer C2 (T1095, T1071)",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-04T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["[See Securelist publication for confirmed C2 domains]"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1055
T1027
T1547.001
T1082
T1016
T1095
+8
AC-6
SC-7
SI-3
SI-4
CM-7
SA-9
+4
MITRE ATT&CK Mapping
T1055
Process Injection
defense-evasion
T1027
Obfuscated Files or Information
defense-evasion
T1547.001
Registry Run Keys / Startup Folder
persistence
T1082
System Information Discovery
discovery
T1016
System Network Configuration Discovery
discovery
T1095
Non-Application Layer Protocol
command-and-control
T1140
Deobfuscate/Decode Files or Information
defense-evasion
T1195.002
Compromise Software Supply Chain
initial-access
T1105
Ingress Tool Transfer
command-and-control
T1036
Masquerading
defense-evasion
T1071
Application Layer Protocol
command-and-control
T1057
Process Discovery
discovery
T1059
Command and Scripting Interpreter
execution
Guidance Disclaimer
