Attackers compromised Daemon Tools software to deliver backdoors

Kaspersky researchers uncovered another supply chain compromise involving a popular Windows tool: Daemon Tools, an app for mounting disk image files as virtual drives that is widely used by gamers, developers, and IT professionals.

Since April 8, 2026, the official Daemon Tools download site (at Deamon-tools[.]cc) was serving signed, trojanized Windows installers.

Once installed, these compromised binaries would silently reach out to an attacker-controlled server to download a .NET-based information collector, harvesting system details such as language settings, running processes, and installed software.

The information collector ran on a large number of consumer and enterprise systems around the globe, but mostly in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

(It’s worth noting, though, that Kaspersky’s visibility into the attack has geographic limits: its software is banned across both public and private sectors in the US, and restricted from government and public sector use in several other Western nations, which means a significant portion of potentially affected machines would never appear in its telemetry.)

The additional payloads were a minimalistic backdoor – deployed to a dozen machines of government, scientific, manufacturing and retail organizations located in Russia, Belarus and Thailand – and a backdoor dubbed QUIC RAT, capable of injecting payloads into legitimate system processes.

QUIC RAT was spotted only once, used against an educational institution located in Russia.

“Based on [these findings], we conclude with a high degree of confidence that the information collector is used for profiling the infected machines, with the profiling results further used to deploy additional payloads in a targeted manner,” the researchers said.

Who is behind this supply chain compromise is unknown, though strings in Chinese in the information collector point to a Chinese-speaking threat actor.

How did it happen?

When Kaspersky published their findings on Tuesday, the legitimate Deamon Tools website was still compromised and serving the malicious Daemon Tools versions: 12.5.0.2421 to 12.5.0.2434. This was confirmed by other security researchers.

Since then, the vendor – Disc Soft Limited – finally acknowledged the compromise, published a new, clean Windows software version (v12.6.0.2445), and started an investigation.

It’s currently unclear how the attackers tampered with three specific binaries within the Daemon Tools installation (DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe). The files were signed with AVB Disc Soft’s legitimate digital certificates, making them appear trustworthy.

According to Kaspersky, the typosquatted domain (https://env-check.daemontools[.]cc) from which the malicious payloads were downloaded was registered on March 27.

Kaspersky has advised individuals and organizations to check systems and logs for shared indicators of compromise and to clean those that have been compromised.

Kaspersky has already investigated four supply chain compromises in 2026 — eScan, Notepad++, CPUID, and now Daemon Tools – and says that the pattern is hard to ignore: attackers are increasingly setting their sights on widely trusted, popular software.

“Organizations should be very careful when choosing the software they decide to install,” they concluded.

UPDATE (May 7, 2026, 05:45 a.m. ET):

“Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state,” Disc Soft Limited stated.

“Our investigation is ongoing as we continue to analyze the root cause and full scope of the incident. At this stage, we are not attributing the incident to any specific third party. We are carefully reviewing all components of our infrastructure to ensure a complete and accurate understanding of what occurred. We are also enhancing our verification procedures to further reduce the risk of similar incidents in the future.”

The company said that only the Daemon Tools Lite (free) version was trojanized. “Daemon Tools Ultra, Daemon Tools Pro, and all other products remain fully operational and safe to use,” they added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!