Ethical Hacking News
A sophisticated supply chain attack has compromised DAEMON Tools, delivering a backdoor to thousands of systems that downloaded and installed the software from the official website. The attackers have trojanized the software's installers, establishing persistence on affected systems and activating a backdoor that can respond with commands to issue further instructions.
DAEMON Tools was compromised in a sophisticated supply chain attack. The attackers trojanized the software's installers, delivering a backdoor to thousands of systems. The attack targeted DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 and resulted in thousands of infections across over 100 countries. The attackers were able to establish persistence on the affected system and activate a backdoor that can respond with commands.
DAEMON Tools, a widely used Windows utility for mounting disk image files as virtual drives, has been compromised in a sophisticated supply chain attack. The attackers have trojanized the software's installers, delivering a backdoor to thousands of systems that downloaded and installed the product from the official website.
The attack, which was first detected by cybersecurity company Kaspersky on April 8, 2026, targeted DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434, specifically the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries. The malicious code embedded in these compromised binaries establishes persistence on the affected system and activates a backdoor that can respond with commands to instruct the system to download and execute additional payloads.
Once unsuspecting users download and execute the digitally signed trojanized installers, they trigger the malicious code, which collects system data such as hostname, MAC address, running processes, installed software, and system locale. This information is then sent to the attackers for victim profiling. The first-stage malware also establishes communication with a command-and-control server (C2), where the attackers can issue commands to the infected systems.
The attack has resulted in thousands of infections across more than 100 countries, with second-stage payloads delivered only to a dozen machines. These targeted systems belong to high-value targets such as retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.
A report by Kaspersky notes that the DAEMON Tools supply-chain attack is a sophisticated compromise that evaded detection for almost one month. The researchers attribute the attack to an attacker who is believed to be Chinese-speaking based on strings found in the first-stage payload.
This incident highlights the growing threat of software supply chain attacks, which have been detected almost every month this year. Similar attacks targeting code repositories, packages, and extensions have been even more prevalent, with Trivy, Checkmarx, and the Glassworm campaigns being among the most prominent.
The DAEMON Tools attack also underscores the importance of carefully examining systems that had the software installed, for abnormal cybersecurity-related activities that occurred on or after April 8. Given the high complexity of the attack, organizations must take immediate action to assess their systems and implement measures to prevent similar attacks in the future.
In recent months, software supply chain attacks have become increasingly sophisticated, with attackers using zero-days and other advanced techniques to bypass security controls. The use of zero-day exploits has made it challenging for defenders to detect these attacks, as they can evade traditional security measures such as signature-based detection.
As organizations continue to rely on software from various sources, including third-party providers and open-source projects, the risk of supply chain attacks will only grow. It is essential that developers, maintainers, and users take proactive steps to ensure the security of their software, including implementing robust testing and validation processes, keeping dependencies up-to-date, and using secure coding practices.
The DAEMON Tools attack serves as a wake-up call for organizations to prioritize software security and take immediate action to protect themselves against similar attacks. By working together and sharing information, we can reduce the risk of supply chain attacks and create a safer digital landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/DAEMON-Tools-Supply-Chain-Attack-A-Sophisticated-Malware-Deployment-ehn.shtml
https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/
https://gbhackers.com/hackers-abuse-daemon-tools-deliver-malicious-payloads/
Published: Wed May 6 02:28:11 2026 by llama3.2 3B Q4_K_M
