What just happened? Popular disk imaging software Daemon Tools was the victim of a sophisticated supply chain attack, with threat actors distributing trojanized Windows installers through the program's official website to deliver a backdoor to thousands of PCs worldwide. The campaign began on April 8 and affected victims in more than 100 countries before being discovered.

Cybersecurity researchers at Kaspersky found that the attack compromised multiple versions of Daemon Tools, from 12.5.0.2421 through 12.5.0.2434. What made the campaign particularly difficult to detect was that the malicious installers were distributed directly from the official website and signed with legitimate digital certificates belonging to AVB Disc Soft, the software's developer – allowing the attack to go unchecked for nearly a month.

As a side note, we also distribute Daemon Tools through TechSpot Downloads, but our hosted version is not among the affected builds, nor have we distributed any of the compromised versions. As part of our standard process, all software listed on TechSpot is scanned with VirusTotal before publication.

The researchers determined that attackers injected malware into at least three binaries bundled within the original installer: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All three reside in the program's default installation directory, typically C:\Program Files\Daemon Tools Lite on Windows machines.

The backdoor activates each time one of the compromised binaries is launched, firing GET requests to a malicious URL designed to mimic Daemon Tools' legitimate domain. According to whois records, that domain was registered on March 27, roughly a week before the attack went live.

The initial payload collects a broad range of system information, including the device's MAC address, hostname, installed software, running processes, network configuration, and user location, before transmitting it to attacker-controlled servers for profiling.

// Related Stories

Kaspersky has not been able to attribute the campaign to any known threat actor, though strings found in the first-stage payload suggest the attacker is Chinese-speaking.

The majority of victims are reportedly located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, second-stage payloads were delivered to only around a dozen devices, all belonging to major retailers, manufacturing facilities, scientific organizations, government agencies, and educational institutions in Russia, Belarus, and Thailand.

That selective targeting led researchers to conclude "with a high degree of confidence" that the operation was aimed at specific individuals and organizations rather than opportunistic targets.

Kaspersky has informed AVB Disc Soft of the attack in line with standard responsible disclosure practices. In the meantime, the firm is urging all Daemon Tools users to run a malware scan immediately and watch for suspicious code injections into legitimate system processes – "especially when the source is executables launched from publicly accessible directories such as Temp, AppData, or Public."