{"id":36200,"date":"2026-05-05T23:13:02","date_gmt":"2026-05-05T12:13:02","guid":{"rendered":"https:\/\/www.kaspersky.com.au\/blog\/daemon-tools-supply-chain-attack\/36200\/"},"modified":"2026-05-05T23:13:02","modified_gmt":"2026-05-05T12:13:02","slug":"daemon-tools-supply-chain-attack","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/daemon-tools-supply-chain-attack\/36200\/","title":{"rendered":"Supply chain attack via DAEMON Tools"},"content":{"rendered":"<p>Our experts have discovered a large-scale supply chain attack via DAEMON Tools \u2013 software for emulating optical drives. The attackers managed to inject malicious code into the software installers, and all trojanized executable files are signed with a valid digital signature of AVB Disc Soft \u2013 the developer of DAEMON Tools. The malicious version of the program has been circulating since April 8, 2026. At the time of writing, the attack is still ongoing. Researchers at Kaspersky believe this is a targeted attack.<\/p>\n<h2>What are the risks of installing the malicious version of DAEMON Tools?<\/h2>\n<p>After the Trojanized software is installed on the victim\u2019s computer, a malicious file is launched every time the system starts up \u2013 sending a request to a command-and-control server. In response, the server may send a command to download and execute additional malicious payloads.<\/p>\n<p>First, the attackers deploy an information gatherer that collects the MAC address, hostname, DNS domain name, lists of running processes and installed software, and language settings. The malware then sends this information to the command-and-control server.<\/p>\n<p>In some cases, in response to the collected information, the command server sends a minimalistic backdoor to the victim\u2019s machine. It\u2019s capable of downloading additional malicious payloads, executing shell commands, and running shellcode modules in memory.<\/p>\n<p>The backdoor can be used to deploy a more sophisticated implant dubbed as QUIC RAT. It supports multiple communication protocols with the command-and-control server, and is capable of injecting malicious payloads into the <em>notepad.exe<\/em> and <em>conhost.exe<\/em> processes.<\/p>\n<p>More detailed technical information, along with indicators of compromise, can be found in <a href=\"https:\/\/securelist.com\/tr\/daemon-tools-backdoor\/119654\/\" target=\"_blank\" rel=\"noopener\">the experts\u2019 article on the Securelist blog<\/a>.<\/p>\n<h2>Who\u2019s being targeted?<\/h2>\n<p>Since early April, several thousand attempts to install additional malicious payloads via infected DAEMON Tools software have been detected. Most of the infected devices belonged to home users, but approximately 10% of installation attempts were detected on systems running in organizations. Geographically, the victims were spread across around a hundred different countries and territories. Most victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.<\/p>\n<p>Most often, the attack was limited to installing an information collector. The backdoor infected only a dozen machines in government, scientific, and manufacturing organizations, as well as in retail businesses in Russia, Belarus, and Thailand.<\/p>\n<h2>What exactly was infected<\/h2>\n<p>The malicious code was detected in DAEMON Tools versions ranging from 12.5.0.2421 to 12.5.0.2434. The attackers compromised the files <em>DTHelper.exe<\/em>, <em>DiscSoftBusServiceLite.exe<\/em>, and <em>DTShellHlp.exe<\/em>, which are installed in the main DAEMON Tools directory.<\/p>\n<h2>How to stay safe?<\/h2>\n<p>If DAEMON Tools software is used on your computer (or elsewhere in your organization), our experts recommend thoroughly checking the computers on which it is installed for any unusual activity starting from April 8.<\/p>\n<p>In addition, we recommend using reliable security solutions on all <a href=\"https:\/\/www.kaspersky.com.au\/premium?icid=au_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">home<\/a> and <a href=\"https:\/\/www.kaspersky.com.au\/next?icid=au_kdailyplacehold_acq_ona_smm__onl_b2b_kdaily_wpplaceholder_sm-team___knext____d4bb560012e498a0\" target=\"_blank\" rel=\"noopener\">corporate<\/a> computers used to access the internet. Our solutions successfully protect users from all malware used in the supply chain attack via DAEMON Tools.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kaspersky-next\">\n","protected":false},"excerpt":{"rendered":"<p>A targeted supply chain attack via popular software for mounting disk images.<\/p>\n","protected":false},"author":2706,"featured_media":36201,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2993,2994],"tags":[36,746,2836],"class_list":{"0":"post-36200","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-malware-2","11":"tag-rat","12":"tag-supply-chain-attack"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/daemon-tools-supply-chain-attack\/36200\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/daemon-tools-supply-chain-attack\/30691\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/daemon-tools-supply-chain-attack\/25743\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/daemon-tools-supply-chain-attack\/30542\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/daemon-tools-supply-chain-attack\/29178\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/daemon-tools-supply-chain-attack\/32085\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/daemon-tools-supply-chain-attack\/41798\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/daemon-tools-supply-chain-attack\/55691\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/daemon-tools-supply-chain-attack\/23879\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/daemon-tools-supply-chain-attack\/33451\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/daemon-tools-supply-chain-attack\/30625\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/daemon-tools-supply-chain-attack\/36093\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/supply-chain-attack\/","name":"supply-chain attack"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/36200","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=36200"}],"version-history":[{"count":0,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/36200\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/36201"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=36200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=36200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=36200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}