Kaspersky researchers have identified an ongoing supply chain attack (a class of attack where malicious code is injected into software distributed through a trusted, official channel) against DAEMON Tools, the widely-used optical disc emulation utility. Official installers downloaded from the legitimate DAEMON Tools website have been trojanised since April 8, 2026, and are signed with valid digital certificates belonging to the DAEMON Tools developers. Victims span over 100 countries, and the attack is active as of May 5, 2026. Evidence in the malware artifacts points to a Chinese-speaking threat actor.
The Attack: Technical Details
The compromise affects DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434. Installers for these versions, hosted at the official daemontools.com domain, deliver both the legitimate DAEMON Tools application and a malicious payload — simultaneously — making the infection indistinguishable from a clean installation to the end user.
The installers carry valid code-signing certificates issued to DAEMON Tools' development entity, meaning Windows SmartScreen and standard certificate-based security controls do not flag them. This is the defining characteristic of a supply chain attack: the attacker does not need to trick users into running untrusted software; the trusted vendor's own distribution infrastructure delivers the payload.
Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, and Leonid Bershtein detail the two-stage payload architecture:
Stage 1 — Initial Backdoor: A lightweight backdoor installed by the trojanised installer. It supports a wide range of command-and-control (C2) protocols — HTTP, UDP, TCP, WSS (WebSocket Secure), QUIC, DNS, and HTTP/3 — providing the attacker with flexible, resilient communication channels that can evade network-layer detection filters targeting conventional protocols.
Stage 2 — QUIC RAT (High-Value Targets Only): For targets identified as particularly valuable, the initial backdoor deploys QUIC RAT, a highly obfuscated C++ remote access trojan (RAT — malware that gives an attacker full remote control of an infected system) statically linked with the WolfSSL library. QUIC RAT communicates exclusively via HTTP/3 and QUIC (a modern UDP-based transport protocol developed by Google, now an IETF standard), which many enterprise security tools and firewalls do not inspect or filter. The RAT injects its payload into legitimate Windows processes — specifically notepad.exe and conhost.exe — to conceal its presence and persist under the guise of normal system activity.
This process-injection technique maps to MITRE ATT&CK T1055 (Process Injection — hiding malicious code inside a legitimate process to evade detection and inherit its execution context and privileges).
Attribution and Targeting
Kaspersky attributes the operation with moderate confidence to a Chinese-speaking threat actor, based on tooling characteristics, infrastructure patterns, and artifacts observed in the malware. No specific named threat group has been publicly identified.
The attack is not indiscriminate. Despite broad initial delivery via a legitimate software distribution channel, the QUIC RAT second stage was deployed on only a small subset of systems — specifically those in retail, scientific, manufacturing, and government sectors — indicating the attackers are conducting post-compromise triage and selectively escalating against high-value targets.
Geographic spread is wide: victims have been confirmed across 100+ countries and territories, with the highest concentrations in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The presence of victims in China is notable and suggests the threat actor is not constrained by geographic boundaries associated with some state-sponsored operations, or that the broad seeding approach is designed to obscure true targeting priorities.
Who Is Affected
Anyone who downloaded and installed DAEMON Tools (specifically the Lite, Standard, or Pro variants) between April 8, 2026 and the date of this writing using the official daemontools.com download link, and received a version in the range 12.5.0.2421–12.5.0.2434, should assume compromise.
DAEMON Tools is used by millions of users globally to mount ISO files and virtual disc images — it is particularly common among software developers, game players, and IT professionals who work with disc images regularly.
The use of legitimate code signing means standard endpoint protection products based on certificate trust may not have flagged the installation. Organisations that allow users to install signed third-party software without additional sandboxing or behavioural analysis are at elevated risk of having silently deployed infected endpoints.
What You Should Do Right Now
- Check installed DAEMON Tools versions across your fleet immediately:
- If version 12.5.0.2421 through 12.5.0.2434 is found, treat the host as compromised. Isolate the system from the network and initiate incident response.
- Run an IOC sweep using Kaspersky's published indicators of compromise from the Securelist analysis. Check for
notepad.exeandconhost.exeprocesses with unusual network connections, particularly over UDP/QUIC to external IP addresses. - Look for QUIC/HTTP3 traffic from non-browser processes in network telemetry — this is a strong indicator of QUIC RAT activity:
- Uninstall compromised versions and re-image if practical. Download a clean version of DAEMON Tools only from the official site after confirming the installer hash against Kaspersky's verified clean release list.
- Block the IOC domains and IPs published by Kaspersky in your firewall, EDR, and DNS filtering tools.
- Notify users who may have installed DAEMON Tools personally on corporate devices during the affected window.
“powershell Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "DAEMON" } | Select-Object Name, Version “
“ # In Zeek/Bro or similar NSM: filter for UDP/443 from endpoints where browser processes are NOT running “
Background: Understanding the Risk
Supply chain attacks are among the most difficult intrusion vectors to detect and defend against. By compromising a trusted software vendor's build or distribution infrastructure, attackers transform legitimate software updates into delivery mechanisms for malware — one that bypasses user training (the software appears trustworthy), endpoint controls (it is signed by a known publisher), and perimeter defenses (the download comes from a legitimate domain).
High-profile supply chain attacks have set an alarming precedent. The SolarWinds SUNBURST operation (2020) infected 18,000 organisations via a compromised software update. The 3CX supply chain attack (2023) was attributed to North Korean Lazarus Group. The XZ Utils backdoor (2024) nearly compromised a significant portion of Linux infrastructure. The DAEMON Tools operation follows the same template: compromise a popular, widely trusted utility and use it as a distribution vector for targeted follow-on operations.
The QUIC RAT's use of HTTP/3 and QUIC for C2 communications is a sophisticated evasion choice. Most enterprise network monitoring tools were designed around TCP-based traffic inspection. QUIC's encryption and UDP transport often travel uninspected through legacy security appliances, giving the RAT a durable, low-detection command channel even on networks with deep packet inspection.
Kaspersky's TechCrunch-covered analysis suggests the attack is still active. DAEMON Tools users should not download new installers from the official site until the vendor has confirmed the distribution pipeline is clean and provides cryptographic hashes for verified installers.
Conclusion
The DAEMON Tools supply chain attack is an active, state-affiliated operation that has backdoored official, digitally signed installers since April 8, 2026, affecting users in over 100 countries. Any system where DAEMON Tools version 12.5.0.2421–12.5.0.2434 was installed should be treated as compromised. Check your fleet now, isolate affected hosts, and apply Kaspersky's published IOCs across your security tooling.
For any query contact us at contact@cipherssecurity.com
