Kaspersky Detects Backdoor in Daemon Tools Amid Widespread Supply Chain Attack
Security researchers at Kaspersky have identified a malicious backdoor embedded in Daemon Tools, indicating an ongoing and widespread cyberattack affecting thousands of systems globally.
Discovery and Scope
According to Kaspersky, telemetry data collected from systems running its antivirus solutions revealed that the attack is actively targeting Windows machines using Daemon Tools. The malicious activity was first detected on April 8, 2026.
The attackers leveraged the compromised software to deploy additional malware on selected targets across multiple sectors, including:
Retail
Scientific research
Manufacturing
Government systems
The targeted organizations are primarily located in Russia, Belarus, and Thailand, suggesting a focused yet scalable attack strategy.
Suspected Threat Actor
Kaspersky linked the activity to a Chinese-speaking threat group based on malware analysis. While attribution remains cautious, linguistic indicators within the code suggest possible ties to actors operating in or aligned with China.
Supply Chain Attack Strategy
This incident highlights a growing trend of supply chain attacks, where threat actors compromise widely used software to distribute malicious code at scale.
In this case:
The attackers implanted a backdoor into the Daemon Tools installer
Users unknowingly installed compromised software
The backdoor enabled remote access and malware deployment
This approach allows attackers to infiltrate a large number of systems simultaneously through trusted software distribution channels.
Related Incidents
This attack follows similar supply chain compromises:
Notepad++ was reportedly hijacked earlier this year to deliver malware targeting organizations in East Asia
Security researchers also identified attacks involving HWMonitor and CPU-Z distributed via the CPUID website
Vendor Response
Disc Soft, the company behind Daemon Tools, has acknowledged the report and confirmed that an investigation is underway.
In an official statement, the company said it is treating the issue with high priority and is actively working to assess and mitigate potential risks. However, no confirmation has yet been provided regarding the full extent of the compromise.
Current Status and Risk
Kaspersky has warned that the attack is still active, meaning users may continue to be at risk if they install or use compromised versions of the software.
At present:
It is unclear whether the macOS version is affected
Other applications from Disc Soft may also require investigation
Security Recommendations
Users and organizations are advised to:
Avoid downloading or installing Daemon Tools until the issue is resolved
Verify software integrity using trusted security tools
Monitor systems for unusual activity or unauthorized access
Keep endpoint protection solutions updated
Source Credit
Source: TechCrunch
