Kaspersky Uncovers Chinese Hackers' Backdoor in Daemon Tools
TL;DR
- Kaspersky discovered an ongoing supply chain attack on Daemon Tools' official website, where installers for versions 12.5.0.2421 to 12.5.0.2434 deliver a backdoor signed with the developer's valid certificate.
- The attack, linked to Chinese-speaking hackers, has infected thousands of Windows machines across 100+ countries since April 8, 2026, with 10% hitting businesses.
- While most infections are widespread, attackers manually targeted a small group of organizations with advanced RATs, signaling potential espionage or high-value hits.
The Breach: A Trojan in Trusted Software
Security researchers at Kaspersky have exposed a stealthy supply chain attack targeting Daemon Tools, the popular Windows software for emulating virtual drives and mounting disc images. Hackers compromised the official website of developer AVB Disc Soft (also known as Disc Soft), injecting malicious code into legitimate installers. These tampered files, distributed since April 8, 2026, carry a sophisticated backdoor that evades detection thanks to a valid digital signature from the vendor itself.
Kaspersky's Global Research and Analysis Team (GReAT) first spotted the threat through telemetry from its antivirus users. Independent scans, including those on VirusTotal, confirmed the backdoor in installers downloaded straight from the Daemon Tools site. As of now, the attack remains active, meaning fresh infections could still be spreading to unsuspecting users.
How the Backdoor Works: Startup Sabotage
The malware targets three key binaries in Daemon Tools: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files launch automatically during system startup, activating the implant without user interaction.
Once triggered, the backdoor pings a hacker-controlled server at env-check.daemontools[.]cc—a domain registered on March 27, 2026—for instructions. It fetches shell commands via an HTTP GET request and executes them through cmd.exe. For most victims, this setup allows remote control, but Kaspersky observed escalation on select machines.
The implant supports a versatile arsenal of command-and-control (C2) protocols: HTTP, UDP, TCP, WSS, QUIC, DNS, and even HTTP/3. It can inject payloads into innocent processes like notepad.exe and conhost.exe, hiding in plain sight while downloading shellcode injectors or a new Remote Access Trojan (RAT) dubbed QUIC RAT.
Scale and Victims: Global Reach with Targeted Strikes
Kaspersky's data paints a picture of massive exposure. Thousands of Windows machines have encountered the threat, with infections spanning over 100 countries and territories. Hotspots include Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and ironically, China.
While Daemon Tools is a consumer favorite, about 10% of detections occurred in business environments, raising alarms for enterprise security. The real danger emerges in follow-on attacks: On just over a dozen high-profile machines—tied to retail, scientific research, government, and manufacturing sectors—hackers deployed custom payloads manually. Typos in commands suggest hands-on operation by the attackers, hinting at espionage or "big game hunting" for lucrative targets.
Attribution: Clues Point to Chinese-Speaking Operators
Kaspersky attributes the campaign to a Chinese-language speaking hacking group, based on artifacts in the malware like hardcoded credentials and command inconsistencies. No specific threat actor has been named, but the operation echoes tactics from Chinese-linked groups repurposing espionage tools for cybercrime.
This fits a disturbing 2026 trend of supply chain hits, following breaches in eScan (January), Notepad++ (February), and CPUID (April). Kaspersky notified Disc Soft, but public details on their response are scarce.
What Users Should Do: Immediate Action Steps
- Uninstall and Reinstall: Remove Daemon Tools immediately, especially versions 12.5.0.2421 to 12.5.0.2434. Download fresh installers only after confirming the site is clean—check vendor announcements.
- Scan Thoroughly: Run full antivirus scans with tools like Kaspersky, and verify files on VirusTotal.
- Monitor Networks: Businesses should audit systems for C2 traffic to env-check.daemontools[.]cc and watch for anomalous notepad.exe or conhost.exe activity.
- Stay Vigilant: Supply chain attacks thrive on trust—always validate software sources, enable auto-updates where possible, and consider alternatives like virtual drive tools from trusted providers.
This incident underscores the fragility of software ecosystems. As hackers refine their infiltration tactics, vigilance remains the best defense against invisible threats lurking in everyday apps.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!