- Attackers poisoned DAEMON Tools downloads with malware, infecting thousands worldwide
- The campaign first deployed an infostealer, followed by a selective backdoor on targeted machines
- Researchers suspect Chinese actors and note the precision of the attack against government and industrial systems
DAEMON Tools, a popular program used to create and use virtual drives on a computer, was poisoned to deliver dangerous backdoor to thousands of users, experts have warned.
Security researchers Kaspersky published a new report outlining how someone broke into the site with DAEMON Tools around April 8, 2026. They added several new versions of the software, 12.5.0.2421 to 12.5.0.2434 – to DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShelliesHlp.exe
Once installed, these versions deployed multiple malware variants. First, the victim is infected with a basic infostealer that grabs system data (hostname, MAC address, running processes, installed software, and system location) and forwards it to the attackers. Then, based on the information returned, the malware moves to stage two and installs a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.
The article continues below
Very targeted attack
DAEMON Tools was extremely popular in the early 2000s, but even today it is considered widely used.
Kaspersky noted how, among its own customers alone, it has seen “several thousand infection attempts” since early April, with victims located all over the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.
Kaspersky also noted that this appears to be a highly targeted attack. The threat actors cannot choose who gets infected with the infostealer, as it is hosted on DAEMON Tools’ website. However, phase two was only seen on a dozen machines belonging to government, scientific, manufacturing and retail organizations in Russia, Belarus and Thailand.
“This way of installing the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to carry out the infection in a targeted manner. However, their intent – whether cyber espionage or ‘big game hunting’ – is currently unclear.”
Kaspersky could not determine the identity of the attackers, but believes they are Chinese.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
