DAEMON Tools installers were trojanized in supply-chain attack that spread a backdoor worldwide

Users who downloaded DAEMON Tools from the vendor’s official website between April 8 and early May may have received more than a legitimate disk-imaging utility. Security researchers say several official installers were trojanized in an ongoing supply-chain attack that pushed a backdoor to thousands of systems in more than 100 countries, turning a routine software download into a broad malware distribution event with a narrower, more selective follow-on phase.

A trusted distribution channel was weaponized

The most significant detail in this case is not simply that malware was attached to pirated software or a fake download portal, but that compromised packages appear to have been served through the official DAEMON Tools distribution path. That matters because users, IT teams, and automated deployment workflows often treat a vendor’s own site as a baseline of trust. Once that trust is broken, even cautious organizations can be exposed, especially when the affected software has a long history and a familiar name.

According to the reported findings, compromised DAEMON Tools versions ranged from 12.5.0.2421 through 12.5.0.2434. Malicious binaries tied to the attack included files named DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. By blending into expected program components and service names, the malicious code appears to have been designed to avoid immediate suspicion from both users and defenders reviewing a busy endpoint.

How the attack worked

The first-stage malware focused on profiling. It collected host and system information from infected devices, giving the attackers a way to separate ordinary consumer infections from machines that might be more valuable for espionage, credential theft, or deeper compromise. That kind of filtering is increasingly common in modern malware operations because it reduces noise, limits exposure, and helps threat actors reserve riskier follow-on activity for targets they judge worth the effort.

Only about a dozen machines are believed to have received a second-stage payload. That number is strikingly small compared with the thousands of first-stage infections and suggests a selective operation rather than indiscriminate mass exploitation alone. On those follow-on systems, the second stage reportedly could execute commands and download additional files, giving attackers a practical foothold for persistence, lateral movement, or delivery of specialized tools after the initial screening phase.

Kaspersky observed QUIC RAT in at least one case, a detail that further raises the seriousness of the campaign. A RAT, or remote access trojan, can provide attackers with hands-on control over a victim machine, enabling command execution, data collection, and payload delivery over time. The use of QUIC RAT also signals that the operators were prepared to move beyond simple reconnaissance when they found machines that matched their targeting criteria.

Who appears to have been targeted

Although the first-stage backdoor spread widely across more than 100 countries, the smaller set of systems that received next-stage payloads reportedly included organizations in retail, science, government, and manufacturing in Russia, Belarus, and Thailand. That mix of sectors does not point to a single obvious motive. Instead, it suggests the attackers were willing to cast a wide net, then choose downstream victims based on geography, organizational type, or the intelligence value of the infected host.

This pattern is one reason supply-chain attacks remain so disruptive. A single compromised software channel can create huge numbers of infections very quickly, but the real damage may occur only later, when attackers quietly escalate against a carefully chosen subset of victims. For defenders, that means the absence of overt ransomware or mass destruction in the early stage should not be mistaken for a limited incident.

Why this incident matters beyond one vendor

Software supply-chain attacks have remained a frequent problem this year because they exploit habits that are otherwise rational: downloading from official sites, trusting signed or branded installers, and assuming software updates are safer than random attachments. When attackers compromise that path, they gain both scale and credibility. Even if only a fraction of victims receive a second-stage payload, the initial access opportunity can be enormous.

The DAEMON Tools incident is also a reminder that telemetry from the first stage of an intrusion can be as important as the obvious damage from later malware. A profiling implant that inventories systems may look less dramatic than ransomware, but in practice it can be the decision engine for the entire campaign. Organizations that identify the compromised versions, isolate affected machines, review outbound communications, and search for the named binaries and related persistence mechanisms will be in a better position to determine whether the infection stopped at reconnaissance or moved into active post-compromise behavior.

At the time of publication, DAEMON Tools had not publicly commented on the reported compromise. The findings cited here were reported by BleepingComputer, based on Kaspersky’s analysis of the campaign. Until more is known, organizations that downloaded or deployed DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 should treat those installers as potentially compromised, investigate for malware artifacts, and assume that software trust alone is not a sufficient defense against a live supply-chain attack.