"These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid wrote.
Kaspersky identifies a supply chain attack on DAEMON Tools
Kaspersky has reported a newly identified supply chain attack that compromised DAEMON Tools installers to serve a malicious payload. The company’s researchers — named in the report as Igor Kuznetsov, Georgy Kucherin, Leonid — say the compromised installers were being distributed from DAEMON Tools' legitimate website and carried digital signatures issued to DAEMON Tools developers.
Compromised installers as the attack vector
The core of Kaspersky’s finding is that the installers themselves were modified to include a malicious payload. The report states the installers are distributed via the official DAEMON Tools website and that the files retain developer digital certificates. That combination — delivery through a vendor’s legitimate distribution channel plus apparently valid code signing — is the mechanism Kaspersky highlights as central to the intrusion.
Legitimate website distribution and developer certificates
Kaspersky’s statement emphasizes two concrete technical facts: distribution occurred from the legitimate site, and the installers were signed with digital certificates belonging to DAEMON Tools developers. Those two facts together are factual anchors in the published finding and frame the primary concern: code delivered from an official source and bearing valid signatures can still carry malicious content if an attacker compromises the build, signing, or distribution process.
What this means for technologists, procurement teams, and end users
- Technologists and security teams: Faced with installers that appear to come from a vendor’s official site and include developer signatures, defenders will need to treat such binaries as potential carriers of malicious payloads until they can validate provenance beyond the site origin and signature alone.
- Procurement and enterprise IT leaders: The Kaspersky finding underscores that reliance on a vendor’s official distribution channel and on digital signatures does not by itself guarantee a supply chain is uncompromised; procurement reviews and build-process attestations will be areas of interest in response.
- End users: Because the compromised installers were available from DAEMON Tools’ legitimate site, ordinary users obtaining the software from that source could have unwittingly installed the malicious payload described by Kaspersky.
Practical takeaways and unanswered specifics
The published facts are narrow and specific: Kaspersky detected a supply chain attack that altered DAEMON Tools installers, those altered installers were available from the official website, and they were signed with developer certificates. Beyond those points, the report as cited here does not offer further public detail in this summary — for example, it does not specify the nature of the malicious payload, how the compromise was introduced into the installers, what timeframe the distribution covered, or which developer certificates were used. Those remain open questions based on the material provided.
The story, as Kaspersky frames it, is a reminder that digital signatures and official websites are important signals but not absolute guarantees. Where installers from a vendor’s site are found to carry malicious payloads despite valid-looking signatures, investigators and defenders must trace build and signing processes to determine whether the compromise occurred at the build, signing, repository, or distribution stage.
For readers seeking the original technical account, Kaspersky’s report is the primary source; the Hacker News summary that reported these findings is available at the link below.
https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
