A serious supply chain attack has hit DAEMON Tools, and it is still active. Attackers have been distributing trojanised installers through official channels since early April 2026. This has put thousands of users at risk worldwide.
Security researchers at Kaspersky discovered that attackers tampered with legitimate installers and inserted hidden backdoors into signed binaries. Since these files carried valid digital certificates from the developer, they looked safe and passed basic security checks without raising suspicion.
The campaign started on April 8, 2026. Attackers compromised multiple DAEMON Tools versions between 12.5.0.2421 and 12.5.0.2434. They hosted these infected installers on the official website, which made the attack far more effective.
The infrastructure behind the attack remains active even now. Researchers have already tracked thousands of infection attempts across more than 100 countries with most victims located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Instead of using external malware downloads, attackers modified core binaries such as DTHelper.exe and DiscSoftBusServiceLite.exe. These files run at system startup, which gives attackers persistent access to infected machines.
The attack follows a clear, staged approach. First, the malware collects system data like MAC address, hostname, installed apps, and network details. It then sends this data to remote servers so attackers can decide which systems are worth deeper access.
Only a small percentage of infected systems received second-stage payloads. These mainly belonged to organisations in government, manufacturing, research, and retail sectors. This selective targeting shows that attackers did not go after everyone. They focused on systems that could offer strategic value.
In advanced cases, researchers spotted the use of QUIC RAT. This tool allows attackers to execute commands, download files, and inject code directly into legitimate processes like notepad.exe.
Attackers registered a fake domain that closely resembled the official DAEMON Tools website just days before launching the campaign. This helped them blend malicious traffic with normal activity.
Some parts of the malware include Chinese-language strings. This points toward a possible Chinese-speaking threat actor, but researchers have not confirmed attribution yet.
If you installed DAEMON Tools after April 8, you should take this seriously. Check your system for unusual activity, especially PowerShell commands and unknown background processes. It is recommended to install a good Antivirus software in your system. Organisations should audit affected machines and monitor outgoing network traffic closely.
Security teams should also restrict execution from temporary folders and move toward zero-trust security models. These steps can reduce the impact of similar attacks.
This incident is not an isolated case. It fits into a growing pattern where attackers target trusted software to spread malware.
Recent attacks have already impacted tools like PyTorch Lightning, Bitwarden CLI, Axios, CPU-Z, HWMonitor, and platforms linked to Vimeo and Salesloft. Other cases include compromises involving elementary-data and Quick Page/Post Redirect WordPress Plugin.
These incidents show that attackers now prefer indirect entry points instead of direct attacks. They target software supply chains because users trust them.
This also connects well with our recent featured article on why supply chain attacks are becoming one of the biggest risks in software today. The DAEMON Tools case adds another strong example to that discussion.
