Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026
DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026
harlan4096 Online
MalWare Zoo Team
*******
Posts: 16,490
Threads: 10,395
Thanks Received: 9,394 in 7,540 posts
Thanks Given: 10,381
Joined: 12 September 18
#1
Bug  05 May 26, 11:35
Quote:What happened?

In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences.

[Image: 1.png]

Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them. These machines that received further payloads belonged to retail, scientific, government and manufacturing organizations – and this indicates that the supply chain attack has a targeted manner.

Kaspersky solutions protect its users from the malicious payloads deployed through the DAEMON Tools supply chain attack.

Trojanized binaries

Our analysis revealed that for DAEMON Tools versions from 12.5.0.2421 to 12.5.0.2434, attackers have managed to compromise the following binaries inside the software installations:
  • DTHelper.exe
  • DiscSoftBusServiceLite.exe
  • DTShellHlp.exe
These files are located in the directory where DAEMON Tools is installed, for example
 
Code:
C:\Program Files\DAEMON Tools Lite
. Notably, these files are digitally signed by the developer of DAEMON Tools, AVB Disc Soft.

Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Kaspersky\VPN\KSOS 21.26 (MR26) & KES 1...
harlan4096 — 07:05
Audacity 3.7.8
Audacity 3.7.8 ...harlan4096 — 07:02
Google Chrome 149.0.7827.114/.115
Google Chrome 149....harlan4096 — 07:00
Microsoft Windows 11 Low Latency Profile...
Windows 11 June up...harlan4096 — 06:52
Microsoft: Windows 11 KB5094126, KB50939...
Windows June 2026 ...harlan4096 — 06:29

[-]
Birthdays
Today's Birthdays
avatar (40)Julioagopy
avatar (50)aolaupitt2558
Upcoming Birthdays
avatar (39)Tedscolo
avatar (46)brakasig
avatar (45)JamesReshy
avatar (47)Francisemefe
avatar (40)leoniDup
avatar (39)Patrizaancem
avatar (39)biobdam
avatar (40)storoBox
avatar (48)kinotHeemn
avatar (39)Ceballos1976
avatar (40)efynu
avatar (32)horancos

[-]
Online Staff
There are no staff members currently online.

>