Back

Kaspersky Discovers Supply Chain Attack on Daemon Tools Website

Severity: High (Score: 71.0)

Sources: Digitalterminal.In, Analyticsinsight

Published: 2026-06-06 · Updated: 2026-06-06

Keywords: kaspersky, supply, chain, attack, official, daemon, tools

Severity indicators: supply chain attack, supply chain

Summary

Kaspersky's Global Research and Analysis Team identified a supply chain attack on the official Daemon Tools website, affecting software versions 12.5.0.2421 and later. The attack, ongoing since April 8, 2026, involves a compromised installer that delivers backdoor malware, allowing remote control of infected devices. The malware was concealed using a valid developer digital certificate, exploiting user trust in signed software. The attack has impacted systems in over 100 countries, with significant concentrations in Russia, Brazil, and several European nations. Approximately 10% of affected systems belong to businesses, increasing risks for corporate networks. Kaspersky observed additional payloads being deployed on a small number of targeted machines across various sectors. The campaign has not yet been attributed to any known threat actor. Kaspersky has notified the software developer for remediation actions. Key Points: • Ongoing supply chain attack on Daemon Tools since April 8, 2026. • Malware delivered via compromised installer with a valid digital certificate. • Approximately 10% of affected systems belong to businesses, heightening enterprise risk.

Detailed Analysis

**Impact** The supply chain attack affects Daemon Tools versions 12.5.0.2421 through the current release, distributed globally across more than 100 countries, with the highest victim concentration in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China. Approximately 10% of infected systems belong to businesses and organizations, including retail, scientific, government, and manufacturing sectors, exposing enterprise networks to significant downstream risks. The attack enables remote control of infected devices, potentially compromising sensitive data and operational integrity. **Technical Details** Threat actors compromised the official Daemon Tools website installer by injecting malicious code into legitimate application binaries, signed with a valid developer certificate, and distributed since April 8, 2026. The malware executes at process startup and maintains persistence via a legitimate Windows service, leveraging elevated administrative privileges granted during installation. Additional payloads observed include a shellcode injector and previously unknown Remote Access Trojans (RATs) with Chinese-language artifacts, indicating hands-on targeting of select organizations. No CVEs or specific infrastructure details were disclosed. **Recommended Response** Organizations should immediately audit networks for Daemon Tools Lite installations, isolate affected endpoints, and monitor for unauthorized command execution or lateral movement. Users are advised to uninstall the compromised software and perform thorough system scans to remove persistent threats. Kaspersky detects and blocks the compromised installers; deploying these detections and conducting security sweeps to prevent further spread are critical. No patch information was provided.

Source articles (2)

  • Kaspersky identifies ongoing supply chain attack on official Daemon Tools website ... — Analyticsinsight · 2026-06-05
    Kaspersky’s Global Research and Analysis Team (GReAT) discovered an active supply chain attack targeting the official website of Daemon Tools, a widely used virtual drive emulation software. The compr…
  • Kaspersky Uncovers Supply Chain Attack Targeting Official Daemon Tools Website — Digitalterminal.In · 2026-06-06
    Kaspersky’s Global Research and Analysis Team (GReAT) discovered an active supply chain attack targeting the official website of Daemon Tools, a widely used virtual drive emulation software. The compr…

Timeline

  • 2026-04-08 — Supply chain attack initiated: Threat actors began distributing compromised Daemon Tools software through the official website.
  • 2026-06-05 — Kaspersky reports findings: Kaspersky disclosed the ongoing attack, detailing the methods and impact on users worldwide.
  • 2026-06-06 — Digital Terminal coverage: Digital Terminal published a report on Kaspersky's findings, confirming the attack's scope and implications.

Related entities

  • Supply Chain Attack (Attack Type)
  • Brazil (Country)
  • China (Country)
  • France (Country)
  • Germany (Country)
  • Italy (Country)
  • Russia (Country)
  • Spain (Country)
  • Türkiye (Country)
  • securelist.com (Domain)
  • Government (Industry)
  • Manufacturing (Industry)
  • Retail (Industry)
  • T1055 - Process Injection (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed