Emerging ThreatsSupply Chain Attacks

Kaspersky Uncovers Trojanized DAEMON Tools in Targeted Supply-Chain Attack

Analyst 207||Source: BleepingComputer
Cluttered office desk with laptop and papers, surrounded by software boxes and manuals.

"Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had DAEMON Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8," the researchers say.

Kaspersky: ongoing, high-complexity supply-chain attack

Cybersecurity company Kaspersky reported that attackers trojanized installers for the DAEMON Tools utility and, beginning April 8, used those installers to deliver a backdoor to thousands of systems that had downloaded the product from the official website. Kaspersky characterizes the compromise as sufficiently sophisticated to have evaded detection for almost one month and says the attack is ongoing as of today.

BleepingComputer has contacted DAEMON Tools for comment but reported it had not heard back by publication.

Trojanized DAEMON Tools installers and affected binaries

Kaspersky identified the compromised DAEMON Tools versions as 12.5.0.2421 through 12.5.0.2434. The infected installers contained malicious code embedded specifically in three signed binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Once users download and execute the digitally signed trojanized installers, that embedded code establishes persistence and activates a backdoor on system startup.

The supply-chain nature of the compromise means the malicious code rode inside installers obtained from the official distribution channel for DAEMON Tools, a Windows utility used to mount disk image files as virtual drives.

How the malware behaves: first-stage stealer and backdoor

Kaspersky separated the intrusion into a first-stage information stealer and, in some cases, a second-stage backdoor. The initial payload collects system data—hostname, MAC address, running processes, installed software, and system locale—and sends it to the attackers to support victim profiling. The server operator can then reply with commands instructing the infected system to download and execute additional payloads.

Where a second-stage payload is deployed, Kaspersky observed a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory. That staged approach — broad distribution of a low-footprint stealer followed by selective deployment of more capable tooling — is consistent with a campaign that prioritizes reconnaissance and person-of-interest compromise rather than mass exploitation.

Targeted follow-on deployments and QUIC RAT

Although the trojanized installers led to "thousands of infections in more than 100 countries," Kaspersky reports that second-stage payloads were installed on only about a dozen machines, indicating a narrow set of follow-on targets. Among those receiving next-stage payloads, Kaspersky lists retail, scientific, government, and manufacturing organizations located in Russia, Belarus, and Thailand.

In at least one observed case — an infection at a Russian educational institute — Kaspersky saw deployment of a more advanced malware strain dubbed QUIC RAT. That strain supports multiple communication protocols and can inject malicious code into legitimate processes, increasing its ability to blend into host activity and evade straightforward detection.

Kaspersky does not publicly attribute the attack to a named group, but the researchers noted strings in the first-stage payload that led them to believe the attacker is Chinese speaking.

What this means for retail, scientific, and government organizations

  • Retail and manufacturing organizations named by Kaspersky should treat DAEMON Tools installs as potential initial access points and examine endpoints for the described indicators: the specific binary names and versions, persistence mechanisms, and signs of second-stage activity.
  • Scientific and government organizations contacted by second-stage payloads — and other entities operating in Russia, Belarus, and Thailand where follow-on deployments were observed — are most directly implicated and should prioritize forensic review of systems where DAEMON Tools was installed on or after April 8.
  • IT and security teams that maintain virtual-drive tooling in controlled environments should inventory installations of DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 and look for anomalous processes, unexpected network connections, and signs of in-memory code execution consistent with the lightweight backdoor and with QUIC RAT behavior.

Kaspersky’s advisory frames a narrow but consequential risk: a broadly distributed, signed installer used as the initial vector, followed by surgical second-stage deployments against targets of interest. The company’s recommendation that affected organizations examine machines with DAEMON Tools installs for abnormal activity on or after April 8 is a concrete next step grounded in the timeline and technical indicators Kaspersky published. For organizations still discovering who downloaded or installed those compromised versions, the lingering questions are practical: which systems received only the profiler, which received the backdoor, and whether any follow-on activity resulted in data theft or lateral movement. Kaspersky’s belief that the code contains Chinese-speaking strings addresses some investigative direction, but attribution to a named actor remains unclaimed.

Read the original BleepingComputer report: https://www.bleepingcomputer.com/news/security/daemon-tools-trojanized-in-supply-chain-attack-to-deploy-backdoor/

Emerging ThreatsKasperskySupply Chain AttackTrojanized SoftwareBackdoor MalwareDAEMON ToolsOngoing Threats
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207