Kaspersky has uncovered an ongoing and sophisticated supply chain attack targeting the official website of Daemon Tools, a widely used virtual drive emulation software. According to findings from Kaspersky’s Global Research and Analysis Team (GReAT), attackers have been distributing a compromised installer embedded with backdoor malware since April 8, 2026.
The malicious version of the installer was hosted directly on the official vendor domain, making it appear legitimate and enabling it to bypass traditional security defenses. The compromised file was signed with a valid developer digital certificate, allowing the malware to remain undetected for nearly a month while spreading globally.
Kaspersky researchers identified that affected versions include Daemon Tools 12.5.0.2421 and subsequent releases. Once installed, the tampered software grants attackers the ability to execute arbitrary commands, establish persistent access, and remotely control infected systems. By leveraging elevated privileges typically granted during installation, the malicious payload embeds itself deeply within the host operating system, significantly compromising device security.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor… it is of paramount importance for organizations to isolate machines and conduct security sweeps,” said Georgy Kucherin, Senior Security Researcher at Kaspersky GReAT.
Telemetry data shows the attack has impacted users in more than 100 countries, with a notable presence in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China. Approximately 10% of affected systems belong to businesses and organizations, increasing the risk of enterprise-level breaches.
In a smaller number of targeted cases, Kaspersky observed attackers deploying additional malicious tools, including a shellcode injector and previously unknown Remote Access Trojans (RATs). These incidents were identified across sectors such as retail, government, scientific research, and manufacturing suggesting selective, hands-on targeting of high-value environments.
Kaspersky has notified the software developer, AVB Disc Soft, and is actively detecting and blocking execution of the compromised installers. The company advises organizations to immediately audit systems for Daemon Tools installations, isolate affected endpoints, and monitor for signs of unauthorized activity or lateral movement within networks.
The discovery highlights the growing threat posed by software supply chain attacks, where trusted software distribution channels are exploited to deliver malware. Security experts recommend adopting zero-trust frameworks, limiting administrative privileges, and implementing continuous monitoring solutions such as XDR platforms to mitigate these risks.
As cyber threats evolve in complexity, this incident underscores the importance of strengthening supply chain security and maintaining vigilance even when software originates from trusted sources.