- Attackers have poisoned DAEMON Tools downloads with malware, infecting thousands of people around the world.
- The campaign first deployed an infostealer, followed by a selective backdoor on targeted machines.
- Researchers suspect Chinese actors, noting the precision of the attack against government and industrial systems.
DAEMON Tools, a popular program used to create and use virtual drives on a computer, has been poisoned to provide a dangerous backdoor to thousands of users, experts have warned.
Security researchers Kaspersky have released a new report describing how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added several new versions of the software, 12.5.0.2421 to 12.5.0.2434 – for the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.
Once installed, these versions deployed several malware variants. First, the victim is infected with a basic information stealer that grabs system data (host name, MAC address, running processes, installed software, and system locale) and transmits it to the attackers. Then, based on the information returned, the malware moves to the second stage, deploying a lightweight backdoor capable of executing commands, downloading files, and executing code directly in memory.
Article continues below
Very targeted attack
DAEMON Tools was extremely popular in the early 2000s, but is still considered widely used today.
Kaspersky highlighted that among its own customers it has witnessed “several thousand infection attempts” since early April, with victims located all over the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.
Kaspersky also noted that this appears to be a very targeted attack. Threat actors cannot choose who will be infected by the information stealer because it is hosted on the DAEMON Tools website. However, the second stage was observed on only a dozen machines belonging to government, scientific, manufacturing and commercial organizations in Russia, Belarus and Thailand.
“This manner of deploying the backdoor on a small subset of infected machines clearly indicates that the attacker intended to carry out the infection in a targeted manner. However, their intent – whether cyberespionage or ‘big game hunting’ – is currently unclear.”
Kaspersky could not determine the identity of the attackers but believes they are Chinese.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
