Back

Supply Chain Attack Compromises DAEMON Tools with Malicious Backdoor

Severity: High (Score: 75.0)

Sources: www.virustotal.com, Techcrunch, Cybersecuritynews, Gbhackers, Securelist

Summary

A supply chain attack has compromised the DAEMON Tools software installers, which began on April 8, 2026. Kaspersky identified that these trojanized installers, signed with legitimate digital certificates, have affected thousands of users globally, with specific targeting of organizations in the retail, scientific, government, and manufacturing sectors. The malware allows attackers to deploy additional payloads on compromised systems, with telemetry indicating infections in over 100 countries. The threat actors are suspected to be Chinese-speaking, and Kaspersky has contacted the software's developer, AVB Disc Soft, who is currently investigating the incident. The attack remains active, with ongoing risks for users who downloaded affected versions (12.5.0.2421 to 12.5.0.2434). Kaspersky's findings have been corroborated by other cybersecurity reports, emphasizing the sophistication and targeted nature of the attack. Key Points: • DAEMON Tools installers have been compromised since April 8, 2026. • The attack has affected thousands of users across more than 100 countries. • Kaspersky suspects the attackers are a Chinese-speaking group targeting specific sectors.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Trojan (attack_type)
  • 3CX Supply Chain Attack (campaign)
  • AVB Disc Soft (company)
  • Daemon Tools (company)
  • Belarus (country)
  • Brazil (country)
  • China (country)
  • France (country)
  • Germany (country)
  • Government (industry)
  • Manufacturing (industry)
  • Retail (industry)
  • QUIC RAT (malware)
  • Trojan.Win64.Agent.gen (malware)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1055 - Process Injection (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1059.003 - Windows Command Shell (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Windows (platform)
  • 00e2df8f42d14072e4385e500d4669ec783aa517 (sha1)
  • 0456e2f5f56ec8ed16078941248e7cbba9f1c8eb (sha1)
  • 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 (sha1)
  • 15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 (sha1)
  • 28b72576d67ae21d9587d782942628ea46dcc870 (sha1)
  • Cmd.exe (tool)
  • PowerShell (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed