Daemon Tools Software Compromised in Supply Chain Attack Distributing Backdoors Since April

Cybersecurity researchers at Kaspersky have uncovered a sophisticated supply chain attack that compromised the official website for Daemon Tools, a popular Windows utility for managing virtual disk drives. Since April 8, 2026, the site has been distributing trojanized installers that deploy backdoors onto user systems, affecting thousands of machines globally before the vendor acknowledged the breach and issued a clean version. The attackers tampered with several versions of the Daemon Tools software, specifically versions 12.5.0.2421 through 12.5.0.2434. According to reports from Kaspersky, the malicious code was injected into three specific executable files within the installation package: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Crucially, these compromised files were signed with the legitimate digital certificates belonging to AVB Disc Soft, the software's developer, allowing them to bypass many standard security checks and appear trustworthy to both users and their systems. The malicious code is designed to activate whenever one of these binaries is launched, which typically happens at system startup. This triggers a backdoor that connects to a command-and-control server. SecurityWeek noted that the server was hosted on a typosquatting domain registered on March 27, 2026, weeks before the attack began. Once connected, the server can send shell commands to be executed on the infected machine, allowing attackers to download and run additional, more potent malware payloads. Kaspersky's telemetry data revealed a widespread initial infection, with compromised installers downloaded in over 100 countries. The highest concentrations of infections were found in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Despite the broad distribution of the initial backdoor, the attackers were highly selective in deploying their second-stage payloads. According to Help Net Security, these advanced payloads were delivered to only a dozen high-value targets. These victims included government, scientific, manufacturing, and retail organizations located in Russia, Belarus, and Thailand. The attackers used the initial backdoor primarily for reconnaissance, profiling infected machines to identify valuable targets. Once a target was selected, a more advanced payload was deployed. One such payload, identified by researchers as QUIC RAT, is capable of injecting itself into legitimate system processes to evade detection. This particular tool was reportedly used against an educational institution in Russia. The attack's success hinged on two key factors. First, by compromising the official software supply chain, the attackers leveraged the implicit trust users place in downloads from a legitimate vendor website. Second, the use of valid digital signatures made the malicious files appear authentic. Georgy Kucherin, a senior security researcher at Kaspersky, noted that this approach bypasses traditional perimeter defenses and allowed the attack to go unnoticed for nearly a month. Furthermore, Daemon Tools requires elevated administrative privileges to function, which users routinely grant during installation. This gave the embedded malware deep access to the host operating system. After Kaspersky published its findings in early May, the developer, AVB Disc Soft, acknowledged the compromise. The company has since released a new, clean version of the software (v12.6.0.2445) and launched an internal investigation into the breach. While no specific threat group has been officially blamed for the attack, Kaspersky researchers noted that Chinese-language strings found within the initial payload suggest the involvement of a Chinese-speaking threat actor. This incident is the latest in a series of software supply chain attacks observed in 2026. BleepingComputer reported similar compromises affecting popular tools like eScan in January, Notepad++ in February, and CPU-Z in April, highlighting a growing trend of attackers targeting software developers to reach their end-users. This incident is a stark reminder that supply chain vulnerabilities are a significant threat not just to large enterprises, but to small and mid-sized businesses as well. Many business owners assume their operations are too small to be targeted, but they often rely on a wide array of third-party software for daily tasks, from utilities like Daemon Tools to critical business applications. Each piece of software represents a potential entry point for attackers. The trust placed in a digitally signed installer from an official vendor is precisely the weakness these sophisticated actors exploit. A single compromised tool can provide a persistent backdoor into a company's network, leading to data theft, operational sabotage, and severe financial repercussions. In our experience, many SMBs lack the internal resources to vet every piece of software or continuously monitor for such threats. This is where proactive financial risk management becomes critical. C&S Finance Group LLC helps clients build frameworks to identify, assess, and mitigate these exact types of operational risks before they escalate into financial crises. To learn more about protecting your business, contact C&S Finance Group LLC at csfinancegroup.com. Following the discovery, security experts are advising all organizations that installed or updated Daemon Tools on or after April 8 to immediately isolate the affected machines and conduct thorough security sweeps for any signs of compromise. The full scope of the attackers' activities on the dozen highly targeted networks remains under investigation. Researchers will continue to analyze the malware's infrastructure to better understand the threat actor's capabilities and ultimate objectives.