- Attackers poisoned DAEMON Tools downloads with malware, infecting thousands worldwide
- The campaign deployed an infostealer first, followed by a selective backdoor on targeted machines
- Researchers suspect Chinese actors, noting the attack’s precision against government and industry systems
DAEMON Tools, a popular program used to create and use virtual drives on a computer, was poisoned to deliver dangerous backdoor to thousands of users, experts have warned.
Security researchers Kaspersky published a new report outlining how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added multiple new versions of the software, 12.5.0.2421 through 12.5.0.2434 – for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.
When installed, these versions deployed multiple malware variants. First, the victim gets infected with a basic infostealer that grabs system data (hostname, MAC address, running processes, installed software, and system locale), and relays it to the attackers. Then, based on the information returned, the malware moves to stage two, deploying a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.
Article continues below
Highly targeted attack
DAEMON Tools was extremely popular in the early 2000s, but even today it is considered to be widely used.
Kaspersky noted how just among its own customers, it has seen “several thousands of infection attempts” from early April, with victims located all around the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Kaspersky also noted that this seems to be a highly targeted attack. The threat actors cannot choose who gets infected with the infostealer, since it’s hosted on DAEMON Tools’ website. Stage two, however, was only seen on a dozen machines belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand.
“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.”
Kaspersky could not determine the identity of the attackers but believes they are Chinese.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
You must be logged in to post a comment Login