A popular Windows utility has become the delivery vehicle for a serious and still-active backdoor campaign. Since April 8, 2026, users who downloaded DAEMON Tools from the software’s official website received trojanized installers designed to silently compromise their machines. The DAEMON Tools supply chain attack has already reached thousands of systems across more than 100 countries, and security researchers say it is still ongoing.
What Is DAEMON Tools and Why Does This Matter?
DAEMON Tools is a long-running Windows application that lets users mount disk image files as virtual drives. It is widely used by everyday Windows users, IT professionals, and organizations alike. Its developer, AVB Disc Soft, has been notified of the breach.
Because the software is downloaded directly from the official site and carries valid digital signatures from the developer, most users and security tools would have no reason to question it. That trust is exactly what made this attack effective. Digitally signed software from a verified vendor bypasses the kind of instinctive caution people apply to downloads from unknown sources. Attackers exploited that trust to deliver malware to thousands of machines before the campaign was even detected.
How the Attack Works
Researchers at Kaspersky’s Global Research and Analysis Team (GReAT) identified the compromise. Three core binaries inside affected versions of the software were tampered with: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All three are located in the main DAEMON Tools installation directory and run automatically every time the system starts.
When any of these files launches at startup, the embedded malicious code activates and sends a request to an external command-and-control server. That server’s address was registered just days before the attack began. It is designed to closely mimic the legitimate daemon-tools.cc domain used for official software downloads.
The attack unfolds in stages. First, a lightweight information-gathering tool runs on the infected machine and sends back a snapshot of the system: hostname, MAC address, active processes, installed software, and language settings. Attackers use that data to profile each victim and decide how to proceed.
Two-Stage Targeting
Most infected systems receive only the first stage. But on a small subset of machines, roughly a dozen in total, attackers manually deployed a more advanced backdoor. That backdoor can execute remote commands, download additional files, and run malicious code directly in system memory, leaving little trace on disk.
The targets that received this second stage are not random. They belong to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. The narrow profile of these victims, combined with the deliberate manual deployment, points to a targeted operation running quietly beneath the surface of a much broader campaign.
In at least one case, involving an educational institution in Russia, attackers went further still and deployed a sophisticated remote access trojan called QUIC RAT. It supports a wide range of communication protocols, including HTTP, UDP, TCP, QUIC, DNS, and HTTP/3. It can also inject malicious code into legitimate Windows processes, such as notepad.exe and conhost.exe, making detection considerably harder.
The Broader Picture
The DAEMON Tools supply chain attack is the fourth such incident Kaspersky has investigated in 2026 alone, following similar compromises involving eScan, Notepad++, and CPU-Z. Supply chain attacks are growing in frequency because they offer high return on relatively contained effort. Compromising one trusted source means reaching every user who relies on it.
Chinese-language artifacts were found inside the malicious implants. However, researchers have not attributed the campaign to any known threat actor, and the ultimate intent, whether espionage or financial gain, remains unclear.
Roughly 10 percent of affected systems belong to businesses and organizations. The rest are individual users who downloaded what looked like a routine software installer and had no reason to suspect otherwise.
What You Should Do
If you have DAEMON Tools installed on any Windows machine, the affected versions are 12.5.0.2421 through 12.5.0.2434. Kaspersky recommends auditing those machines for unusual activity going back to April 8. Organizations should isolate any systems running these versions until they can be properly investigated. Individual users should uninstall the application and run a full system scan with a trusted security solution.
The compromised files are located in the DAEMON Tools installation directory, most commonly at C:\Program Files\DAEMON Tools Lite. Because they are digitally signed by the official developer, they will not look suspicious to most antivirus tools unless the security solution is specifically watching for behavioral anomalies at startup.
Final Thoughts
The DAEMON Tools supply chain attack is a reminder that trust in software provenance is not the same as safety. Downloading from an official website and seeing a valid digital signature does not guarantee a clean file. Especially when the vendor’s own distribution pipeline has been compromised. For both organizations and individual users, this incident reinforces why endpoint monitoring, behavioral detection, and rapid response capabilities matter as much as traditional perimeter defenses. Keeping software updated matters, but so does knowing when an update itself is the threat.
