Kaspersky GReAT specialists have discovered malicious code in official DAEMON Tools installers. According to researchers, the supply chain attack lasted from April 8, 2026, and infected versions were distributed directly through the developer's website.
The problem affected DAEMON Tools versions from 12.5.0.2421 to 12.5.0.2434. After installation, the program could connect a hidden backdoor to the system, communicate with the attackers' command and control server, and download additional malicious modules.
The primary attack scenario involved collecting device information. However, in some cases, attackers deployed a more sophisticated QUIC RAT backdoor capable of downloading files, executing code, and injecting itself into system processes. According to Kaspersky, this malware was used against a limited number of targets, including one educational organization in Russia.
In total, specialists recorded thousands of infection attempts in over 100 countries. Among the affected were both ordinary users and companies. Most cases were found in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Researchers believe the attack was targeted: although infections were widespread, more sophisticated malicious tools were installed on only a small fraction of devices — primarily in organizations in the fields of science, government, manufacturing, and retail.
After notification from Kaspersky, AVB Disc Soft confirmed the problem and released a DAEMON Tools update 12.6.0.2445, which removed the malicious functionality.
Experts recommend uninstalling old versions of the program, checking the system for suspicious activity, and conducting a security audit, especially if DAEMON Tools was installed after April 8. For companies, it is also advised to isolate potentially infected devices.
Kaspersky notes that this is not the first such incident in 2026: previously, eScan, Notepad++, and CPU-Z were subjected to supply chain attacks. According to researchers, attackers are increasingly using popular and trusted software as a way to massively penetrate systems.
Комментарии