VYPR
breachPublished May 5, 2026· Updated May 17, 2026· 2 sources

Daemon Tools Supply Chain Attack Hits Government and Scientific Entities

Chinese-speaking threat actors have compromised the official Daemon Tools website to distribute a multi-stage backdoor through trojanized software installers.

A sophisticated supply chain attack has compromised the official installers for Daemon Tools, a popular disk imaging utility, resulting in the distribution of a backdoor to thousands of systems worldwide. According to Kaspersky, the campaign has been active since April 8, 2026, affecting Daemon Tools versions 12.5.0.2421 through 12.5.0.2434. The malicious code was injected into three specific binaries—DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—all of which remain digitally signed by the software vendor, AVB Disc Soft SecurityWeek.

The technical mechanism involves the injection of malicious code into the startup sequence of the affected binaries. When the software initializes the CRT environment at machine startup, the backdoor is activated SecurityWeek. This first-stage payload functions as an information stealer, collecting system data such as hostnames, MAC addresses, running processes, and installed software BleepingComputer. This data is transmitted to a typosquatting domain registered on March 27, which then provides shell commands to the infected machine SecurityWeek.

The reach of this campaign is extensive, with thousands of infections reported across more than 100 countries, including significant activity in Brazil, China, France, Germany, Italy, Russia, Spain, and Turkey SecurityWeek. However, the attackers have utilized a highly selective approach for secondary infections. While the initial stealer was deployed broadly, a more advanced, minimalistic backdoor was pushed to only about a dozen specific systems belonging to government, scientific, manufacturing, and retail entities in Belarus, Russia, and Thailand BleepingComputer. In at least one instance involving a Russian educational institution, the attackers deployed a more complex tool known as the QUIC RAT BleepingComputer.

The attackers behind this campaign are believed to be Chinese-speaking, based on strings identified within the first-stage payload BleepingComputer. The sophisticated nature of the compromise allowed it to evade detection for nearly a month BleepingComputer. As of the latest reports, the attack remains active, and AVB Disc Soft has been notified of the breach SecurityWeek. Organizations that have deployed Daemon Tools since April 8 are urged to audit their systems for abnormal activity, as the vendor has not yet publicly confirmed a resolution BleepingComputer.

This incident highlights the persistent threat posed by software supply chain compromises, which have targeted various utilities throughout the year, including eScan, Notepad++, and CPU-Z BleepingComputer. The ability of attackers to leverage legitimate, digitally signed software to distribute malware underscores the difficulty security teams face in verifying the integrity of third-party tools. As supply chain attacks continue to rise, the incident serves as a reminder of the importance of monitoring for unusual network traffic and process behavior, even from trusted, vendor-signed applications BleepingComputer.

Synthesized by Vypr AI