- Attackers poisoned DAEMON Tools downloads with malware, infecting thousands of people around the world
- The campaign first implemented an information stealer, followed by a targeted backdoor on targeted machines.
- Investigators suspect Chinese actors and highlight the precision of the attack against government and industrial systems.
DAEMON Tools, a popular program used to create and use virtual drives on a computer, was poisoned to provide a dangerous backdoor to thousands of users, experts have warned.
Security researchers Kaspersky published a new report describing how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added several new versions of the software, 12.5.0.2421 to 12.5.0.2434, for the binaries DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
When installed, these versions deployed multiple malware variants. First, the victim is infected with a basic information stealer that captures system data (host name, MAC address, running processes, installed software, and system locale) and transmits it to attackers. Then, based on the information returned, the malware moves to stage two, implementing a lightweight backdoor capable of executing commands, downloading files, and executing code directly in memory.
Article continues below.
Highly targeted attack
DAEMON Tools was extremely popular in the early 2000s, but is still considered to be widely used today.
Kaspersky noted that among its own customers alone it has seen “several thousand infection attempts” since early April, with victims located around the world in more than 100 countries and territories, mostly in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.
Kaspersky also noted that this appears to be a very targeted attack. Threat actors cannot choose who gets infected with the information stealer as it is hosted on the DAEMON Tools website. The second stage, however, was only seen on a dozen machines belonging to government, scientific, manufacturing and retail organizations in Russia, Belarus and Thailand.
“This way of deploying the backdoor on a small subset of infected machines clearly indicates that the attacker intended to carry out the infection specifically. However, their intent, whether cyber espionage or ‘big game hunting,’ is currently unclear.”
Kaspersky could not determine the identity of the attackers but believes they are Chinese.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
