Official DAEMON Tools installers distributed directly from the vendor’s website were trojanized between versions 12.5.0.2421 and 12.5.0.2434, delivering a backdoor to thousands of users across more than 100 countries over approximately one month before Kaspersky researchers detected the compromise. A subset of high-value victims received a second-stage implant — QUIC RAT — a more sophisticated tool supporting multiple command-and-control communication protocols.
How Trojanized DAEMON Tools Installers Delivered Backdoors with Valid Code-Signing Certificates
The compromised installers were signed with valid developer certificates and distributed through the official DAEMON Tools website, meaning users who downloaded the software from the legitimate source received backdoored binaries without any visual indication of tampering. Three executable files within the installer package were modified: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, according to Kaspersky’s analysis.
The campaign was active starting April 8, 2026, and remained undetected for approximately one month. The use of valid code-signing certificates is significant because many endpoint security solutions treat signed binaries from known vendors as implicitly trusted, allowing the first-stage backdoor to execute without triggering signature-based detection.
First-Stage Backdoor Capabilities: Reconnaissance Before Escalation
The first-stage payload embedded in the trojanized DAEMON Tools installers functioned as a lightweight reconnaissance and staging tool. It collected the infected machine’s hostname, MAC address, running process list, installed software inventory, and system locale information, then transmitted that data to attacker-controlled infrastructure. The implant also supported downloading additional files and executing code directly in memory — a technique used to avoid writing more detectable payloads to disk.
Kaspersky observed thousands of infections across more than 100 countries resulting from the trojanized installers. The broad infection base reflects the global user base of DAEMON Tools, a widely used virtual drive and disc imaging application.
QUIC RAT: The Second-Stage Implant Reserved for High-Value Targets
Approximately 12 machines were identified as having received the second-stage payload, QUIC RAT, according to Kaspersky’s report. QUIC RAT is a more advanced implant that supports multiple communication protocols and is capable of process injection — a technique that allows malicious code to run within the memory space of a legitimate process, further evading detection. The selective deployment of QUIC RAT to a small fraction of the total infected population indicates the attackers manually reviewed first-stage reconnaissance data and escalated only against targets deemed sufficiently valuable.
Targeted Sectors: Government, Scientific Research, and Manufacturing Across Russia, Belarus, and Thailand
Kaspersky identified the primary targeted sectors as retail, scientific research, government, and manufacturing, with victims concentrated in Russia, Belarus, and Thailand. The geographic targeting and sector focus are consistent with nation-state or advanced criminal threat actors seeking access to government and research networks rather than opportunistic mass infection.
Attribution remains unconfirmed. Kaspersky noted code strings within the malware suggesting a Chinese-speaking threat actor, but the researchers stopped short of formally attributing the campaign to a specific group or country. The presence of Chinese-language artifacts in malware source code is a common indicator used in attribution analysis, though adversaries sometimes deliberately include misleading artifacts to obscure their origin.
Why Code-Signing Did Not Protect Users from the DAEMON Tools Supply Chain Attack
The trojanization of digitally signed binaries distributed through the official vendor channel bypasses several layers of conventional endpoint protection. Allowlisting policies that permit execution based on digital signatures would not have blocked the backdoored installers. Browser and download manager warnings that flag unsigned or unsigned software would not have triggered. Users who followed best practices — downloading software from official sources, checking that installers were signed — were no better protected than those who did not, because the compromise occurred before the installer reached them.
Scope of the DAEMON Tools Compromise and the Vendor’s Response
Kaspersky disclosed the findings on May 5, 2026, approximately one month after the attack began. The vendor’s response had not been detailed in available reporting as of publication. The compromised version range — 12.5.0.2421 through 12.5.0.2434 — gives affected users a specific version window to compare against installed builds.
The incident joins a growing list of supply chain compromises in which legitimate software distribution channels have been used to deliver malware at scale. Previous cases have involved build server compromises, corrupted update mechanisms, and insider access; the DAEMON Tools case falls into the category of trojanized binaries distributed via the vendor’s own infrastructure with valid signing credentials — a scenario that maximizes trust exploitation and minimizes user-side warning signals.
