What happened
Kaspersky researchers have identified a supply-chain attack that trojanized installers for DAEMON Tools, a Windows virtual drive utility, delivering a backdoor to thousands of systems across more than 100 countries since April 8, 2026. The attack is ongoing at time of publication and evaded detection for nearly a month. DAEMON Tools has not responded to media inquiries.
The compromised versions span DAEMON Tools 12.5.0.2421 through 12.5.0.2434, with three specific binaries affected: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Users who downloaded the software from the official website received digitally signed trojanized installers that, upon execution, establish persistence and activate a backdoor at system startup.
The attack operates in two stages. The first-stage payload is a basic information stealer that profiles victims by collecting hostname, MAC address, running processes, installed software, and system locale, then transmits the data to the attackers. Based on that profiling, select systems receive a second-stage lightweight backdoor capable of executing commands, downloading files, and running code directly in memory. In at least one case targeting a Russian educational institute, a more advanced strain called QUIC RAT was deployed, supporting multiple communication protocols and process injection into legitimate processes.
While thousands of systems received the first-stage payload, second-stage deployments were limited to approximately a dozen machines, indicating highly selective targeting of high-value victims. Confirmed targets receiving next-stage payloads include retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. Kaspersky assesses the attacker as Chinese-speaking based on strings found in the first-stage payload, but has not attributed the campaign to a specific threat actor.
Who is affected
Any organization or individual that downloaded DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 from the official website since April 8 should treat the installation as potentially compromised. Environments in Russia, Belarus, and Thailand appear to be the focus of second-stage targeting, but the broad first-stage deployment across more than 100 countries means initial profiling occurred across a much wider population.
Why CISOs should care
The DAEMON Tools attack continues a pattern of software supply-chain compromises that has appeared almost every month in 2026, following similar attacks on eScan, Notepad++, and CPU-Z earlier this year alongside the wave of package repository compromises affecting Trivy, Checkmarx, and the GlassWorm campaigns. The use of digitally signed installers delivered from the official website means standard advice to download only from official sources provides no protection in this scenario.
The two-stage selective deployment is also operationally significant. The first stage profiles victims before the attackers commit to deploying further tooling, allowing them to identify and target only the highest-value systems while limiting exposure of their more advanced capabilities.
3 practical actions
- Immediately audit all systems where DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 were installed since April 8: Kaspersky explicitly recommends examining these machines for abnormal cybersecurity activity occurring on or after that date. Focus the audit on the three affected binaries and look for persistence mechanisms, unexpected outbound connections, and in-memory code execution consistent with the backdoor’s documented behavior.
- Check for QUIC RAT and second-stage backdoor indicators on systems in targeted sectors and geographies: Organizations in retail, scientific research, government, and manufacturing, particularly those with operations in Russia, Belarus, or Thailand, should treat any DAEMON Tools installation in the affected version range as a higher-priority investigation given the confirmed targeting of those sectors and regions.
- Extend software integrity verification to cover digitally signed binaries from official vendor sources: The DAEMON Tools attack used legitimate digital signatures on trojanized installers, defeating signature-based trust models. Implement hash verification of critical software against vendor-published checksums and consider file integrity monitoring for binaries from software categories commonly deployed in operational environments.
Also in the news today:
- FTC to Ban Data Broker Kochava From Selling Americans’ Location Data
- Student Hacked Taiwan High-Speed Rail to Trigger Emergency Brakes
- Instructure Hacker Claims Data Theft From 8,800 Schools and Universities
- Australia Launches Cyber Incident Review Board Modeled on Disbanded US Equivalent
- North Korean Hackers Targeted Ethnic Koreans in China With Android BirdCall Malware
