Kaspersky’s Global Research and Analysis Team (GReAT) discovered an active supply chain attack targeting the official website of Daemon Tools, a widely used virtual drive emulation software. The compromised installer delivers malicious software alongside the legitimate application, granting threat actors the ability to execute arbitrary commands and remotely control infected devices.
During a recent telemetry study, researchers identified that threat actors have actively distributed the modified software directly through the vendor’s primary domain since April 8, 2026, successfully concealing the malware with a valid developer digital certificate. The malicious injection affects Daemon Tools version 12.5.0.2421 up through the current release. Kaspersky has notified AVB Disc Soft, the developer of Daemon Tools, so that remediation actions can be taken.
Because disk emulation software requires low-level system access to function properly, users routinely grant the application elevated administrative privileges during installation. This mechanism allows the embedded malware to secure a deep foothold within the host operating system, severely compromising device integrity. Specifically, attackers tampered with legitimate application binaries to execute malicious code at process startup and leveraged a legitimate Windows service to maintain persistence on the host.
Kaspersky telemetry indicates a widespread, global distribution of the compromised updates across more than 100 countries and territories. The majority of victims are located in Russia, Brazil, Türkiye, Spain, Germany, France, Italy, and China.
The analysis shows that 10% of the affected systems belong to businesses and organizations. While Daemon Tools is heavily adopted by consumers, its presence in corporate environments exposes enterprise networks to severe downstream risks.
On a small subset of just over ten machines — belonging to organizations in the retail, scientific, government, and manufacturing sectors — Kaspersky GReAT observed attackers manually deploying additional payloads, including a shellcode injector and previously unknown Remote Access Trojans (RATs). The narrow industry profile of these victims, combined with typos and inconsistencies in the executed commands, indicates that the follow-on activity is conducted hands-on against specifically chosen targets. While researchers identified Chinese-language artifacts within the malicious implants, the campaign is not currently attributed to any known threat actor.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT. “Because of that, the Daemon Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities. Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.”
Kaspersky actively detects and blocks the execution of the compromised installers. Researchers advise organizations to audit their networks for the presence of Daemon Tools Lite, isolate affected endpoints, and monitor for unauthorized command execution or lateral movement. Individual users should promptly uninstall the compromised application and run a thorough system scan to clear any persistent threats.
Read full research on Securelist.com.
In March 2026, a Kaspersky study found supply chain attacks were the most common cyberthreat businesses faced over the prior 12 months, yet only 9% of organizations ranked them as a top concern.
To mitigate the risks associated with software supply chain attacks, Kaspersky recommends organizations adopt the following security measures:
- Audit software supply chains: Before authorizing third-party applications for corporate environments, evaluate the vendor’s security track record, review their vulnerability disclosure data, and verify their compliance with industry security standards.
- Enforce strict procurement protocols: Mandate regular security audits for all deployed software and ensure any tools utilized by employees comply with the organization’s internal security policies and incident notification requirements.
- Restrict administrative privileges: Implement preventive frameworks, such as the principle of least privilege and zero-trust architecture. Limiting user access rights significantly reduces the potential blast radius if a trusted application is compromised and attempts to execute unauthorized commands.
- Deploy continuous infrastructure monitoring: Kaspersky recommends utilizing Extended Detection and Response (XDR) solutions, such as the Kaspersky Next product line. These tools provide real-time monitoring to identify anomalies in network traffic or unauthorized actions originating from implicitly trusted software.
- Update incident response playbooks: Ensure organizational security strategies explicitly account for supply chain breaches. Playbooks must include predefined steps to rapidly identify, contain, and disconnect compromised third-party applications from internal systems.
About the Global
Research & Analysis Team
Established in 2008, Global Research & Analysis
Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs,
cyber-espionage campaigns, major malware, ransomware and underground
cyber-criminal trends across the world. Today GReAT consists of 35+ experts working
globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented
security professionals provide company leadership in anti-malware research and
innovation, bringing unrivaled expertise, passion and curiosity to the
discovery and analysis of cyberthreats.
