Kasperky warns popular Daemon Tools app backdoored by hackers to target specific victims

News
By published

A two-stage process targets government, science, and retail

A hand about to touch a phone. Superimposed on top of it is a pink triangle with exclamation mark inside it. Behind it is a computer display with code on it
(Image credit: Getty Images)
  • Attackers poisoned DAEMON Tools downloads with malware, infecting thousands worldwide
  • The campaign deployed an infostealer first, followed by a selective backdoor on targeted machines
  • Researchers suspect Chinese actors, noting the attack’s precision against government and industry systems

DAEMON Tools, a popular program used to create and use virtual drives on a computer, was poisoned to deliver dangerous backdoor to thousands of users, experts have warned.

Security researchers Kaspersky published a new report outlining how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added multiple new versions of the software, 12.5.0.2421 through 12.5.0.2434 - for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.

When installed, these versions deployed multiple malware variants. First, the victim gets infected with a basic infostealer that grabs system data (hostname, MAC address, running processes, installed software, and system locale), and relays it to the attackers. Then, based on the information returned, the malware moves to stage two, deploying a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.

Article continues below

Highly targeted attack

DAEMON Tools was extremely popular in the early 2000s, but even today it is considered to be widely used.

Kaspersky noted how just among its own customers, it has seen “several thousands of infection attempts” from early April, with victims located all around the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Kaspersky also noted that this seems to be a highly targeted attack. The threat actors cannot choose who gets infected with the infostealer, since it’s hosted on DAEMON Tools’ website. Stage two, however, was only seen on a dozen machines belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand.

“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.”

Kaspersky could not determine the identity of the attackers but believes they are Chinese.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.