Geeks for your information Security Security Vendors Kaspersky Kaspersky Security Blog v
DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026
DAEMON Tools software infected – supply chain attack ongoing since April 8, 2026
harlan4096 Offline
MalWare Zoo Team
*******
Posts: 16,283
Threads: 10,312
Thanks Received: 9,367 in 7,513 posts
Thanks Given: 10,347
Joined: 12 September 18
#1
Bug  10 hours ago
Quote:What happened?

In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences.

[Image: 1.png]

Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them. These machines that received further payloads belonged to retail, scientific, government and manufacturing organizations – and this indicates that the supply chain attack has a targeted manner.

Kaspersky solutions protect its users from the malicious payloads deployed through the DAEMON Tools supply chain attack.

Trojanized binaries

Our analysis revealed that for DAEMON Tools versions from 12.5.0.2421 to 12.5.0.2434, attackers have managed to compromise the following binaries inside the software installations:
  • DTHelper.exe
  • DiscSoftBusServiceLite.exe
  • DTShellHlp.exe
These files are located in the directory where DAEMON Tools is installed, for example
 
Code:
C:\Program Files\DAEMON Tools Lite
. Notably, these files are digitally signed by the developer of DAEMON Tools, AVB Disc Soft.

Continue Reading...
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
DAEMON Tools software infected – supply ...
What happened? ...harlan4096 — 11:35
April 2026 Windows Update Breaks Third-P...
Microsoft has conf...harlan4096 — 07:29
Apple Adds End-to-End Encryption for RCS...
Apple has announce...harlan4096 — 07:28
uBOLite 2026.504.2301
uBOLite 2026.504.2...harlan4096 — 07:14
AnyDesk 9.7.2 for Windows
Version 9.7.2 for ...harlan4096 — 06:05

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (28)akiratoriyama
avatar (48)Jerrycix
avatar (40)awedoli
avatar (82)WinRARHowTo
avatar (38)owysykan
avatar (49)beautgok
avatar (39)axuben
avatar (45)talsmanthago
avatar (31)mocetor
avatar (46)piomaibhaict
avatar (51)kingbfef
avatar (38)izenesiq
avatar (40)ihijudu
avatar (45)tiojusop
avatar (42)Damiennug
avatar (40)acoraxe
avatar (49)contjrat
avatar (41)axylisyb
avatar (44)tukrublape
avatar (41)iruqi
avatar (42)saitetib
avatar (36)ypasodiny
avatar (39)omapek
avatar (48)Geraldtuh
avatar (44)knigiJow
avatar (46)1stOnecal
avatar (50)Mirzojap
avatar (36)idilysaju
avatar (45)xclubDum
avatar (41)Stewartanilm
avatar (40)GregoryRog
avatar (45)mediumog
avatar (40)odukoromu
avatar (46)Joanna4589

[-]
Online Staff
There are no staff members currently online.

>