4 Min Read Chinese-speaking attackers compromised Daemon Tools software installers and went undetected for nearly a month. The supply chain attack began on April 8, 2026 with trojanized versions signed using legitimate digital certificates from AVB Disc Soft, the software developer. Kaspersky discovered the breach in early May after observing thousands of infection attempts across more than 100 countries.
The attack targeted both individual users and organizations but threat actors deployed advanced backdoors to only a dozen high-value targets in government, scientific, manufacturing and retail sectors. Most victims received basic information collectors that harvested system data and established persistence.
Valid Certificates Bypassed Security for Weeks
The attackers compromised three core binaries within Daemon Tools installations including DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe. All were signed with valid digital certificates belonging to AVB Disc Soft, allowing them to bypass traditional endpoint security and user trust controls. Versions 12.5.0.2421 through 12.5.0.2434 contained malicious code that activated each time the system started.
“A compromise of this nature bypasses traditional perimeter defences because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT. The attack went unnoticed for about a month, indicating “the threat actor behind this attack is sophisticated and has advanced offensive capabilities.”
The malicious code contacted a command-and-control server at env-check.daemontools[.]cc, a typosquatted domain registered on March 27, just days before the attack began. This timing suggests deliberate infrastructure preparation rather than opportunistic compromise.
AVB Disc Soft Released Clean Version After Disclosure
AVB Disc Soft confirmed the breach affected only the free Daemon Tools Lite version, not the paid Pro and Ultra editions. The company released version 12.6.0.2445 on May 5, 2026 which contains no compromised files. “Within less than 12 hours of identifying the issue, we were able to implement a solution,” the company stated.
The vendor has isolated affected systems, removed compromised files from distribution, audited its build pipeline and strengthened security controls. However, the attack remained active when initially disclosed, meaning users who downloaded Daemon Tools between April 8 and May 5 could still be running infected versions.
Fourth Major Supply Chain Attack in Five Months
The Daemon Tools compromise continues an alarming pattern of software supply chain attacks in 2026. Kaspersky researchers investigated eScan in January, Notepad++ in February, and CPU-Z in April. This represents a significant acceleration from typical annual figures.
Most infections occurred in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China. Approximately 10% of infections hit organizational environments with the rest targeting home users. The geographic distribution and targeting patterns suggest economic espionage rather than mass ransomware deployment.
Kaspersky identified artifacts suggesting Chinese-speaking threat actors, though this attribution is based on technical analysis rather than confirmed intelligence reporting. The sophistication and month-long persistence align with advanced persistent threat capabilities typically associated with nation-state groups.
What to Do if You Downloaded Daemon Tools Since April
Organizations and individuals who downloaded Daemon Tools Lite between April 8 and May 5 should immediately uninstall the application and run comprehensive system scans. Kaspersky and other security firms have published indicators of compromise to help identify infections.
Check systems for unusual network connections to env-check.daemontools[.]cc and monitor for suspicious PowerShell activity or files in temporary directories. The malware typically drops an information collector called envchk.exe in C:\Windows\Temp\ and creates persistence through startup execution.
Install the clean version 12.6.0.2445 from the official Daemon Tools website if you require the software for legitimate purposes. However, given the supply chain compromise, consider whether alternative disk mounting utilities might reduce future risk exposure.
References
- DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware
- Supply chain attack via DAEMON Tools
- Popular DAEMON Tools software compromised
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor
- Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack
This post is also available in:
Svenska
Related News
North Korean Hackers Hijacked Axios Package for 100 Million Users
North Korean state hackers compromised the Axios npm package on 31 March 2026, inserting a cross-platform remote access trojan into one of JavaScript's most widely…
April 22, 2026