Kaspersky Confirms Month-Long Supply-Chain Compromise of Daemon Tools Software
Security firm Kaspersky has identified a prolonged attack on the widely used disk mounting application, revealing a two-stage campaign that collected system data from hundreds of thousands of users while infiltrating government and corporate networks in specific regions.
Security firm Kaspersky has confirmed that the popular disk mounting application, Daemon Tools, was compromised in a month-long supply-chain attack. The campaign, which remained active from 8 April 2026 until the time of reporting, involved the distribution of malicious updates signed by the developer's official digital certificate. These infected installers specifically targeted Windows versions 12.5.0.2421 through 12.5.0.2434, causing malware to execute automatically at boot time.
The initial phase of the attack affected thousands of machines across more than 100 countries. While the majority of these infections resulted in the collection of system data, including MAC addresses, hostnames, and running processes, a more sophisticated secondary payload was deployed to a smaller subset of victims. Approximately 12 organisations in sectors including government, science, manufacturing, and retail received a complex backdoor that granted attackers command execution capabilities.
Kaspersky researchers noted that the attack was orchestrated in a highly sophisticated manner, with a detection window of about one month comparable to the 3CX supply-chain attack observed in 2023. The secondary payload observed on a single machine belonging to an educational institution in Russia was identified as a complex backdoor dubbed QUIC RAT. This tool was capable of injecting payloads into legitimate system processes such as notepad.exe and conhost.exe, supporting various command-and-control communication protocols including HTTP, UDP, and QUIC.
The geographical scope of the targeted organisations was concentrated in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Although the initial data-collecting payload reached a wide audience, the deployment of the advanced backdoor to only a dozen machines indicates that the attackers intended to conduct the infection in a targeted manner, potentially for cyberespionage or high-value asset hunting. The developer of Daemon Tools is AVB, though neither Kaspersky nor the developer could be contacted immediately for further details.
This incident underscores the persistent threat of supply-chain attacks, where users are infected simply by installing digitally signed updates available through official channels. Recent trends show an increase in such compromises, with incidents hitting various open-source packages and enterprise utilities in the preceding year. Kaspersky advises that anyone using Daemon Tools should scan their machines using reputable antivirus software and monitor for suspicious code injections into legitimate system processes.
