Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398)
CVE-2026-8398 is a supply chain compromise affecting Daemon Tools Lite, where threat actors embedded malicious code (CWE-506) within the software distribution. Installations of the trojanized version may result in backdoor access, credential theft, or lateral movement from hosts running the compromised software. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Daemon
- Product
- Daemon Tools Lite
Weakness (CWE)
Timeline
- Disclosed
- May 27, 2026
References & Proof of Concept
CVSS
What is CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398)?
Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) (CVE-2026-8398) maps to the Initial Access and Execution and Persistence and Command and Control tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let daemonToolsProcesses = DeviceProcessEvents
| where FileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName, InitiatingProcessFileName;
let suspiciousChildren = DeviceProcessEvents
| where InitiatingProcessFileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| where FileName !in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe", "conhost.exe")
| project DeviceId, DeviceName, Timestamp, ProcessId, FileName, FolderPath, ProcessCommandLine, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine;
let networkFromDaemon = DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("daemon.exe", "DTLite.exe", "DTAgent.exe", "DTShellHlp.exe")
| where RemoteIPType != "Loopback"
| project DeviceId, DeviceName, Timestamp, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine;
daemonToolsProcesses
| union suspiciousChildren
| union networkFromDaemon
| summarize EventCount=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceId, DeviceName, FileName, FolderPath, AccountName
| sort by EventCount descDetects suspicious process activity and network connections originating from Daemon Tools Lite binaries, which may indicate execution of embedded malicious code introduced via CVE-2026-8398 supply chain compromise.
Data Sources
Required Tables
False Positives
- Legitimate Daemon Tools Lite usage performing disk image mounting with expected child processes
- Antivirus or EDR products inspecting Daemon Tools processes and spawning scan-related children
- Software update mechanisms launched by Daemon Tools that contact legitimate update servers
- Virtual drive operations that trigger short-lived helper processes
Sigma rule & cross-platform mapping
The detection logic for Daemon Tools Lite Embedded Malicious Code (CVE-2026-8398) (CVE-2026-8398) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-8398
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Trojanized Software Child Process Spawning
Expected signal: Sysmon Event ID 1 showing C:\Temp\DTLite.exe spawning cmd.exe as a child process; DeviceProcessEvents in Defender showing the parent-child relationship
- Test 2Simulate Malicious Code Outbound Network Beacon from Daemon Tools Binary
Expected signal: Sysmon Event ID 3 network connection event showing DTAgent.exe (from C:\Temp) making outbound HTTP connection to external IP; DeviceNetworkEvents showing the connection
- Test 3Simulate Embedded Malicious Code Persistence via Registry Run Key
Expected signal: Sysmon Event ID 13 registry value set event for HKCU Run key; Windows Security Event ID 4657 if object access auditing is enabled
- Test 4Verify Daemon Tools Lite Binary Hash Against Known-Good Baseline
Expected signal: File read events for each Daemon Tools binary accessed; output file containing SHA-256 hashes for comparison against vendor advisory
Unlock Pro Content
Get the full detection package for CVE-2026-8398 including response playbook, investigation guide, and atomic red team tests.