-
Hackers injected a backdoor into official Daemon Tools installers starting April 8, affecting versions 12.5.0.2421 through 12.5.0.2434, the attack is still active at time of disclosure.
-
The malware infected thousands of computers across 100+ countries, collecting system information from victims, with about 10 percent of affected systems belonging to businesses and organizations.
-
Only a dozen high-value targets received the second-stage backdoor, these include government, scientific, and manufacturing organizations in Russia, Belarus, and Thailand.
Kaspersky security researchers have found a malicious backdoor embedded within the Windows installer for Daemon Tools, a widely used disc imaging application. The supply chain attack started on April 8 and continues to be active as of the time of this report.
According to Kaspersky, Chinese-speaking hackers executed the attack. The compromised installers came directly from the legitimate Daemon Tools website; they carry valid digital signatures from the software’s developer, AVB Disc Soft. This allowed the malware to bypass traditional security checks that trust signed software from official sources.
The malicious injection impacts some versions of Daemon Tools from 12.5.0.2421 up to 12.5.0.2434 – this means that anyone who downloaded or updated the software during this period may infect their systems.
Attack operates in two carefully planned stages
The hackers used three files as the main components for the malware application in this attack – the three compromised files are DiscSoftBusServiceLite.exe, DTHelper.exe, and DTShellHlp.exe. These infected binaries are set to run upon Windows startup; thus, they activate the malware each time a user turns on a computer (booting).
Once the malware is activated on the computer, it sends an HTTP request message to a fake domain name that the attackers registered and created on March 27. When the command server receives the request, it issues a command for the execution of a shell command via Windows Command Prompt by the computer. The shell command allows the computer to download and run other files containing malware.
After completing these commands, the server will collect information regarding the infected computer’s environment. This information consists of the computer’s hostname, the MAC address, all running processes, all installed software, as well as the language settings the infected computer uses. Finally, this entire information returns to the hacker.
Kaspersky observed thousands of infection attempts across more than 100 countries. The majority of victims live in Russia, Turkey, Brazil, Spain, Germany, Italy, France, and China. About 10 percent of affected systems belong to businesses and organizations rather than home users.
Hackers selectively target high-value victims
The attackers did not deploy their most dangerous malware to every infected machine – instead, they utilize the information they collected during the first stage to identify specific targets of interest.
Only about a dozen systems received the second-stage backdoor. These machines belong to government agencies, scientific research organizations, manufacturing companies, and retail businesses located in Russia, Belarus, and Thailand.
On one educational institution in Russia, the attackers deployed an even more sophisticated remote access trojan called QUIC RAT. This sophisticated malware can communicate through all major protocols (HTTP / UDP / TCP / QUIC), and injects malware directly into the most widely used Microsoft Windows-based applications, such as Conhost.exe and Notepad.exe.
The selected targeting exploit development suggests the hackers ran a targeted and highly specific operating attack. Kaspersky’s Senior Security Research Consultant Georgy Kucherin indicated that no one detected the compromise for more than 30 days; therefore, the threat perpetrators have an advanced and sophisticated method of attacking capabilities.
Protect your systems by checking for infected software
If you have downloaded either an older version of Daemon Tools or updated to the latest version sometime after April 8, consider your computer or network device at risk. Security experts suggest that you should immediately remove these applications and run a full virus scan on your system.
Organizations should conduct a review of their network to determine if they have previously installed any version of Daemon Tools that falls within the windows of time during which the software attack occurred. IT teams should isolate any machines that have the software installed and monitor for unusual command execution or suspicious network activity.
This attack follows similar supply chain compromises targeting other widely used tools. Earlier in 2026, hackers breached Notepad++, eScan antivirus, and CPU-Z using comparable methods. The trend shows that even trusted software from official sources can pose serious security risks.
Supply chain attacks aren’t the only way hackers leverage legitimate access. In a separate but equally alarming incident, a ransomware gang allegedly stole Comcast’s internal network plans and listed them for sale on the dark web. Read the full story, ransomware gang allegedly steals Comcast network plans, lists on dark web.
