Hackers used Daemon Tools' own website to silently install backdoors on thousands of PCs for nearly a month

DragonSlayer101

Posts: 982   +14
Staff
What just happened? Popular disk imaging software Daemon Tools was the victim of a sophisticated supply chain attack, with threat actors distributing trojanized Windows installers through the program's official website to deliver a backdoor to thousands of PCs worldwide. The campaign began on April 8 and affected victims in more than 100 countries before being discovered.

Cybersecurity researchers at Kaspersky found that the attack compromised multiple versions of Daemon Tools, from 12.5.0.2421 through 12.5.0.2434. What made the campaign particularly difficult to detect was that the malicious installers were distributed directly from the official website and signed with legitimate digital certificates belonging to AVB Disc Soft, the software's developer – allowing the attack to go unchecked for nearly a month.

As a side note, we also distribute Daemon Tools through TechSpot Downloads, but our hosted version is not among the affected builds, nor have we distributed any of the compromised versions. As part of our standard process, all software listed on TechSpot is scanned with VirusTotal before publication.

The researchers determined that attackers injected malware into at least three binaries bundled within the original installer: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All three reside in the program's default installation directory, typically C:\Program Files\Daemon Tools Lite on Windows machines.

The backdoor activates each time one of the compromised binaries is launched, firing GET requests to a malicious URL designed to mimic Daemon Tools' legitimate domain. According to whois records, that domain was registered on March 27, roughly a week before the attack went live.

The initial payload collects a broad range of system information, including the device's MAC address, hostname, installed software, running processes, network configuration, and user location, before transmitting it to attacker-controlled servers for profiling.

Kaspersky has not been able to attribute the campaign to any known threat actor, though strings found in the first-stage payload suggest the attacker is Chinese-speaking.

The majority of victims are reportedly located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, second-stage payloads were delivered to only around a dozen devices, all belonging to major retailers, manufacturing facilities, scientific organizations, government agencies, and educational institutions in Russia, Belarus, and Thailand.

That selective targeting led researchers to conclude "with a high degree of confidence" that the operation was aimed at specific individuals and organizations rather than opportunistic targets.

Kaspersky has informed AVB Disc Soft of the attack in line with standard responsible disclosure practices. In the meantime, the firm is urging all Daemon Tools users to run a malware scan immediately and watch for suspicious code injections into legitimate system processes – "especially when the source is executables launched from publicly accessible directories such as Temp, AppData, or Public."

Permalink to story:

 
Okay, I don't get it.
Whoever did this hacked the webserver and planted infected installers, but how did they manage to sign the files?

Keep in mind that Kaspersky is a Russian company, or at least was started there. If it's still in Russia, information coming from it can't be trusted.
 
Okay, I don't get it.
Whoever did this hacked the webserver and planted infected installers, but how did they manage to sign the files?

Keep in mind that Kaspersky is a Russian company, or at least was started there. If it's still in Russia, information coming from it can't be trusted.
Kaspersky is the top AV and the only one I know that isn't banned from showing NSO, Pegasus and other Israeli malware. Every other company has signed deals with the US gov to hide such malware. It's 2026, all to security analyst have already published about this years ago. Why do people still think this way?
 
Kaspersky is the top AV and the only one I know that isn't banned from showing NSO, Pegasus and other Israeli malware. Every other company has signed deals with the US gov to hide such malware. It's 2026, all to security analyst have already published about this years ago. Why do people still think this way?
All malware is Israeli? I think you might need to do some serious thinking... "Why do people still think this way?" I'd like to think not everyone is anti-semitic... alas, it's a growing trend...
 
All malware is Israeli? I think you might need to do some serious thinking... "Why do people still think this way?" I'd like to think not everyone is anti-semitic... alas, it's a growing trend...
Strawmen and boring ad hominem

You'd think people would be smarter in 2026, alas it seems to be the opposite.
 
Strawmen and boring ad hominem

You'd think people would be smarter in 2026, alas it seems to be the opposite.
Why would you assume that humanity would be smarter now than in the past? Human nature has remained the same for thousands of years... and please stop posting anti-semitic trash on this site.
 
Kaspersky is the top AV and the only one I know that isn't banned from showing NSO, Pegasus and other Israeli malware. Every other company has signed deals with the US gov to hide such malware. It's 2026, all to security analyst have already published about this years ago. Why do people still think this way?
Maybe you can provide links to a government website showing "signed deals with the US gov to hide such malware"?
This will make your claim sound slightly less nonsensical.
 
Maybe you can provide links to a government website showing "signed deals with the US gov to hide such malware"?
This will make your claim sound slightly less nonsensical.
Perhaps you can learn how to Google. This way you ur comments won't come off as ignorant and lazy.

But let me do some educating

"Magic Lantern" Legacy
The specific historical precedent you are recalling about a Western AV company admitting this practice stems from an older, widely discussed industry revelation.
The Register / Reuters (Historical Archive): During the early 2000s, McAfee publicly admitted that it would not flag or block the FBI's custom logging and surveillance tools (such as the "Magic Lantern" keylogger) if requested. This sparked a multi-decade debate about whether antivirus companies could be trusted to protect citizens against their own governments"

The "Whitelisting" and "Do Not Detect" Disclosures (2012–2013)
When the massive, Israeli/US-attributed Flame and Stuxnet cyberweapons were exposed, multiple investigative journalists and security whistleblowers revealed that several Western antivirus firms had been quietly accommodating government-made malware.
Wired / Kim Zetter (2012): Investigating the discovery of Flame, tech reporters highlighted that top antivirus executives admitted to a dark industry reality: government agencies frequently requested that their security tools "whitelist" or purposely overlook state-authored surveillance tools.
The Verge (2013): Following Edward Snowden's leaks, articles extensively analyzed how intelligence agencies (like the NSA and Israeli equivalents) coerced or collaborated with domestic software companies to ensure government Trojans would bypass signature scanning."

To be frank, it's hard finding primary source materials, but people archive them. Thank God.
 
Back