Researchers at Securelist by Kaspersky disclosed an ongoing supply chain attack targeting the official website of the widely used DAEMON Tools software, where trojanized installers distributed since April 8 were used to deploy malicious payloads and backdoor malware on victim systems. The attackers selectively delivered second-stage payloads only to a limited subset of compromised machines, despite infections spanning thousands of systems globally.
The researchers found that the payloads belonged to retail, scientific, government, and manufacturing organizations, indicating that the supply chain attack was conducted in a highly targeted manner rather than as a broad, indiscriminate malware campaign. Kaspersky noted that only a dozen systems across Russia, Belarus, and Thailand received the advanced backdoor implants, suggesting the threat actors were carefully identifying high-value targets after initial compromise.
“In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,” Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin wrote in a threat response this week. “Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed.”
They contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences.
On May 6, 2026, following public disclosure of the issue, the vendor acknowledged the compromise and released version 12.6.0.2445 of the software, which no longer contains the malicious behavior described in the report. On the same day, the researchers added detection capabilities for the malicious campaign in network traffic through Kaspersky Anti Targeted Attack (KATA) using its Network Detection and Response (NDR) module.
A day earlier, the report was updated with additional detection rules and examples from KEDR Expert, while Kaspersky also confirmed that the malicious activity could be detected through its Managed Detection and Response service.
Kaspersky disclosed that since April 8, the time when the first trojanized version of DAEMON Tools was deployed, “we observed thousands of attempted payload deployments via the compromised binaries. Notably, this is a quite large number, indicating a widespread nature of this attack. We observed these deployments on machines belonging to both individuals and organizations across more than 100 countries and territories, with the majority of victims located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.”
The analysis shows that 10% of the affected systems belong to businesses and organizations. Attackers attempted to infect most of the affected machines only with the information collector payload. However, the other backdoor payload, which is more complex, has been observed only on a dozen machines of government, scientific, manufacturing, and retail organizations located in Russia, Belarus and Thailand.
The post noted that this manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.
Researchers found that attackers compromised multiple binaries in DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434, located within the software installation directory. The trojanized files were digitally signed by AVB Disc Soft, the legitimate developer of DAEMON Tools, allowing malicious components to appear trustworthy and evade suspicion during installation and execution.
According to the analysis, the malware activates automatically when the affected binaries launch during system startup, embedding a backdoor within the CRT initialization code and running it through a dedicated thread. The backdoor then sends GET requests containing the infected machine’s full computer name to a malicious command-and-control domain designed to mimic the legitimate daemon-tools[.]cc website. Researchers noted that the typosquatted domain, env-check.daemontools[.]cc, was registered on March 27, roughly one week before the supply chain attack began.
“While we observed the information collector being attempted to be deployed on a large number of infected machines, we as well noted that attackers attempted to deliver another payload to a very small number of machines, equating to about a dozen,” according to the post. “Based on this fact, we conclude with a high degree of confidence that the information collector is used for profiling the infected machines, with the profiling results further used to deploy additional payloads in a targeted manner. One of such payloads we observed is a minimalistic backdoor.”
The researchers pointed out that based on their long-term experience of analyzing supply chain attacks, we can conclude that attackers orchestrated the DAEMON Tools compromise in a highly sophisticated manner. “For example, the time it took to detect this attack, which turned out to be about one month, is comparable to the 3CX supply chain attack which we researched together with the cybersecurity community in 2023. Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had DAEMON Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8.”
They also noted that it has been just four months since 2026 started – and over this short period, “we have observed an increasing number of reported supply chain attacks. We were investigating eScan in January, Notepad++ in February, CPU-Z in April, and now DAEMON Tools in May. Given this surge in supply chain attack observations, organizations should be very careful when choosing the software they decide to install.”
At the same time, it indicates that widely used and trusted applications represent a valuable vector of compromise for the attackers due to their broad potential impact. This should be kept in mind when planning an organizational cybersecurity strategy to ensure a solid implementation of the ‘zero trust’ strategy.
Kaspersky significantly contributed to the analysis and discovery of large-scale supply chain incidents in 2026, sharing the technical findings with the cybersecurity community.
