Virtual drive utility Daemon Tools is being exploited in an ongoing supply chain attack. Surprisingly, trojanized installers are being distributed directly from the official vendor website since April 8th. They deploy a backdoor with remote control capabilities, remaining undetected for nearly a month.
Kaspersky’s Global Research and Analysis Team (GReAT) has identified the supply chain attack targeting the official website of Daemon Tools. AVB Disc Soft, the developer of Daemon Tools, has been notified and Kaspersky is actively blocking the compromised installers.
The malicious injection affects Daemon Tools versions 12.5.0.2421 through 12.5.0.2434. Three core binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe) were tampered with, activating a backdoor at every machine startup. Because disk emulation software routinely receives elevated administrative privileges, the malware establishes a deep foothold within the host operating system. A typosquatting domain (env-check.daemontools[.]cc) registered just a week before the attack started serves as the command-and-control server.
Global reach, targeted follow-up
Kaspersky telemetry recorded thousands of infection attempts across more than 100 countries. Ten percent of affected systems belong to businesses. Most received only an information collector payload, which profiles the system by gathering MAC address, hostname, running processes, installed software, and locale.
On just over a dozen machines in Russia, Belarus, and Thailand, belonging to retail, scientific, government, and manufacturing organizations, attackers manually deployed a shellcode injector and previously unknown RATs. The most sophisticated implant, dubbed QUIC RAT, supports communication over HTTP, UDP, TCP, QUIC, DNS, and HTTP/3. Chinese-language artifacts appear in the implants, but Kaspersky has not attributed the campaign to any known threat actor.
Part of a broader surge
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT. Kaspersky draws a direct parallel to the 3CX supply chain attack back in 2023, which similarly went undetected for around one month.
The Daemon Tools incident is the fourth supply chain compromise Kaspersky has investigated in 2026 alone, after eScan, Notepad++, and CPU-Z. Kaspersky telemetry found nearly 19,500 malicious packages in open-source projects by end of 2025, a 37 percent increase compared to the year before, with supply chain attacks now ranking as the most common cyberthreat businesses faced over the past twelve months. It appears threat actors are fully aware of the immense potential of supply chain compromises as well, given the enormous rise of attacks on display.
Organizations are advised to isolate machines with Daemon Tools installed and audit for abnormal activity from April 8 onward; individual users should uninstall the application and run a full system scan.