A supply chain attack has compromised DAEMON Tools installers, spreading malware to thousands of users worldwide.
Update: Following a full investigation, the DAEMON Tools developers confirmed that the issue was resolved on May 5, shortly after it was identified. Version 12.6 is considered safe to use, and additional security measures have been implemented to further protect the company’s infrastructure and software delivery process. More details are available in the official statement from Disc Soft Limited: https://blog.daemon-tools.cc/post/security-incident
Quick Summary – TLDR:
- DAEMON Tools installers were compromised and distributed from the official website.
- Malware has affected users in over 100 countries with thousands of infection attempts.
- Attackers used a targeted approach, deploying advanced payloads to select systems.
- Security experts link the activity to a Chinese speaking threat actor, though attribution is not confirmed.
What Happened?
Security researchers discovered that official DAEMON Tools installers were tampered with to include malicious code. The attack began on April 8, 2026 and is still active, impacting users globally.
Kaspersky has uncovered a backdoor embedded in the official Windows installer of Daemon Tools, a widely used disc imaging application.
— Pirat_Nation 🔴 (@Pirat_Nation) May 5, 2026
Security researchers believe Chinese-speaking hackers carried out a supply chain attack that began on April 8, compromising thousands of… pic.twitter.com/pgQzU5DqZj
Compromised Software Delivered Malware
A major cybersecurity incident has hit users of DAEMON Tools, a widely used Windows software for mounting disk images. According to findings by Kaspersky, attackers managed to compromise the official installers available on the software’s website, making them appear legitimate while secretly embedding malicious payloads.
The infected installers were digitally signed using valid certificates belonging to the developer, which made the malware difficult to detect. Versions ranging from 12.5.0.2421 to 12.5.0.2434 have been confirmed as compromised.
Three core components were altered as part of the attack:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
These files run automatically during system startup, allowing the malware to activate without user awareness.
How the Attack Works?
Once installed, the compromised binaries initiate a connection to a malicious server designed to mimic the legitimate DAEMON Tools domain. This server sends commands that are executed through cmd.exe, often using PowerShell to download additional malware.
The attack chain includes multiple payloads:
- envchk.exe, a .NET based tool that collects system data such as hostname, running processes, installed software, and system locale.
- cdg.exe and cdg.tmp, which work together to deploy a lightweight backdoor capable of executing commands and downloading further payloads.
The collected data is sent back to a command and control server, allowing attackers to profile infected systems before deciding on next steps.
Targeted Malware Deployment
While thousands of machines were exposed to the initial infection, researchers observed that only a small number received advanced second stage payloads. This strongly suggests that the attackers were selectively targeting high value systems.
Affected sectors include:
- Retail.
- Government.
- Scientific organizations.
- Manufacturing industries.
These targeted systems were located in Russia, Belarus, and Thailand.
One of the more advanced tools used in the attack is a remote access trojan known as QUIC RAT. This malware supports multiple communication protocols such as HTTP, TCP, UDP, DNS, and QUIC, allowing it to maintain persistent access and execute commands remotely.
Evidence Points to Chinese Speaking Threat Actor
Researchers found indicators within the malware, including Chinese language strings, suggesting involvement of a Chinese speaking group. However, no specific threat actor has been officially identified.
The attackers demonstrated a high level of sophistication by using techniques such as:
- Digitally signed malicious installers.
- Typosquatted domains to evade detection.
- Selective deployment of advanced malware.
- Use of legitimate system processes like notepad.exe and conhost.exe for stealth execution.
Part of a Growing Trend in 2026
This incident is not isolated. It follows a series of supply chain attacks earlier in 2026 involving software like Notepad++, eScan, and CPU-Z tools. These attacks exploit trusted software distribution channels, allowing hackers to reach a large number of users quickly.
Security experts warn that such attacks are particularly dangerous because users tend to trust software downloaded directly from official sources.
Vendor Response and Ongoing Risk
The developer of DAEMON Tools, Disc Soft, has acknowledged the issue and stated:
As of now, the attack remains active, and it is unclear whether all affected versions have been secured.
SQ Magazine Takeaway
This is a serious reminder that even trusted software is no longer safe by default. I think what makes this attack alarming is how quietly it operated for nearly a month, using legitimate certificates and official distribution channels. That level of access shows how advanced modern cyber threats have become.
If widely used tools like DAEMON Tools can be compromised, it raises bigger questions about software trust and security practices. Organizations need to move beyond blind trust and adopt stricter verification and monitoring strategies.
