Kaspersky’s Global Research and Analysis Team (GReAT) discovered an active supply chain attack targeting the official website of Daemon Tools, a widely used virtual drive emulation software. The compromised installer delivers malicious software alongside the legitimate application, granting threat actors the ability to execute arbitrary commands and remotely control infected devices.
During a recent telemetry study, researchers identified that threat actors have actively distributed the modified software directly through the vendor’s primary domain since April 8, 2026, successfully concealing the malware with a valid developer digital certificate. The malicious injection affects Daemon Tools version 12.5.0.2421 up through the current release. Kaspersky has notified AVB Disc Soft, the developer of Daemon Tools, so that remediation actions can be taken.
Because disk emulation software requires low-level system access to function properly, users routinely grant the application elevated administrative privileges during installation. This mechanism allows the embedded malware to secure a deep foothold within the host operating system, severely compromising device integrity. Specifically, attackers tampered with legitimate application binaries to execute malicious code at process startup and leveraged a legitimate Windows service to maintain persistence on the host.
Kaspersky telemetry indicates a widespread, global distribution of the compromised updates across more than 100 countries and territories. The majority of victims are located in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China.
The analysis shows that 10% of the affected systems belong to businesses and organizations. While Daemon Tools is heavily adopted by consumers, its presence in corporate environments exposes enterprise networks to severe downstream risks.
On a small subset of just over ten machines — belonging to organizations in the retail, scientific, government, and manufacturing sectors — Kaspersky GReAT observed attackers manually deploying additional payloads, including a shellcode injector and previously unknown Remote Access Trojans (RATs). The narrow industry profile of these victims, combined with typos and inconsistencies in the executed commands, indicates that the follow-on activity is conducted hands-on against specifically chosen targets. While researchers identified Chinese-language artifacts within the malicious implants, the campaign is not currently attributed to any known threat actor.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT. “Because of that, the Daemon Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities. Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.”
Kaspersky actively detects and blocks the execution of the compromised installers. Researchers advise organizations to audit their networks for the presence of Daemon Tools Lite, isolate affected endpoints, and monitor for unauthorized command execution or lateral movement. Individual users should promptly uninstall the compromised application and run a thorough system scan to clear any persistent threats.
Read full research on Securelist.com.
