Kaspersky: Chinese Hackers Behind Daemon Tools Backdoor in Widespread Attack

Key Takeaways

• Kaspersky researchers discovered a malicious backdoor embedded in the Windows version of the disc‑imaging utility Daemon Tools, affecting thousands of computers worldwide.
• The backdoor was used by a Chinese‑language‑speaking threat actor to deploy additional malware on selected targets in the retail, scientific, manufacturing, and government sectors located in Russia, Belarus, and Thailand.
• The attack is classified as a supply‑chain compromise, wherein hackers abused the developer’s update mechanism to push malicious code to end‑users.
• Independent verification by TechCrunch using VirusTotal confirmed the presence of the backdoor in the Daemon Tools installer downloaded from the official site.
• Disc Soft, the maker of Daemon Tools, acknowledged the report, said it is investigating the issue, and promised to remediate any risks, though it has not yet confirmed specifics or released a patch.
• The incident follows a recent trend of supply‑chain attacks on popular software utilities such as Notepad++ and CPUID’s HWMonitor/CPU‑Z tools.
• Users should immediately verify the integrity of their Daemon Tools installation, consider uninstalling or disabling the program until a clean version is released, and run updated anti‑malware scans.
• Organizations that rely on Daemon Tools for imaging or virtual‑drive functions should monitor network traffic for anomalous connections and apply endpoint detection and response (EDR) controls.
• The threat remains active; Kaspersky warns that the attackers can still push malware via future updates unless the compromised build is removed and the supply chain secured.

Overview of the Discovery
Kaspersky’s global telemetry, gathered from machines running its antivirus product, revealed a pervasive infection pattern tied to the Daemon Tools software. The security firm announced on Tuesday that the malicious code had been identified in the Windows disc‑imaging utility, which enjoys a long‑standing user base for creating virtual drives and mounting disc images. By correlating telemetry alerts with file hashes, Kaspersky confirmed that the backdoor had been present in the software for a sufficient period to reach “thousands” of endpoints across multiple industries and geographies. The detection date was traced to April 8, indicating that the compromise had been active for at least several weeks before public disclosure.

Details of the Malicious Backdoor
The backdoor operates as a stealthy payload that executes when Daemon Tools launches or checks for updates. Once activated, it opens a covert communication channel to a command‑and‑control (C2) server controlled by the threat actors, allowing them to download and install additional malware modules. These secondary payloads have been observed to include information‑stealers, credential harvesters, and remote‑access tools, enabling the attackers to exfiltrate sensitive data and maintain persistent access on compromised hosts. The modular nature of the backdoor suggests that the threat actors can tailor the follow‑on malware to the specific interests of each victim organization.

Targeted Sectors and Geography
Kaspersky’s analysis linked the intrusion to a Chinese‑language‑speaking group, based on linguistic artifacts within the malware and the infrastructure used for C2 communications. The group employed the Daemon Tools backdoor to plant additional malware on a dozen carefully chosen systems spanning the retail, scientific, manufacturing, and government sectors. Victim organizations were located primarily in Russia, Belarus, and Thailand, indicating a geographically focused campaign rather than indiscriminate mass infection. The selectivity of the targets points to a “targeted” effort, likely aimed at gathering intellectual property, strategic intelligence, or facilitating further lateral movement within those networks.

Supply Chain Attack Context
This incident exemplifies the growing trend of supply‑chain compromises, where adversaries infiltrate the development or distribution pipeline of trusted software to reach a broad user base with a single malicious update. Earlier in the year, a Chinese‑state‑associated group hijacked the popular text editor Notepad++ to deliver malware to entities with interests in East Asia. Likewise, last month researchers warned of a tainted CPUID website that served compromised versions of HWMonitor and CPU‑Z utilities. In each case, the attackers gained unauthorized access to the developers’ build servers, code‑signing certificates, or update mechanisms, allowing them to sign and distribute malicious binaries that appeared legitimate to end‑users and security tools alike.

Evidence from VirusTotal and TechCrunch
To validate Kaspersky’s findings, TechCrunch downloaded the latest Windows installer for Daemon Tools directly from the official Disc Soft website. The file was submitted to the crowdsourced malware‑scanning service VirusTotal, where multiple antivirus engines flagged it as containing a Trojan or backdoor component consistent with Kaspersky’s description. The detection rate across engines was notable, confirming that the malicious code was not a false positive but an actual alteration of the legitimate installer. This independent verification strengthens the claim that the compromised build is being served to users who rely on the official download channel.

Disc Soft’s Response
When approached for comment, a Disc Soft representative acknowledged the Kaspersky report, stating that the company is “aware of the report and are currently investigating the situation.” The representative emphasized that the matter is being treated with the highest priority, that an active assessment is underway, and that steps are being taken to remediate any potential risks and ensure user security. However, as of the statement, Disc Soft had not confirmed whether a specific version of Daemon Tools was affected, nor had it released a patched build or detailed mitigation guidance. The lack of a concrete timeline for a fix leaves users in a state of uncertainty regarding the safety of the software.

Implications and Ongoing Threat
Kaspersky warned that the supply‑chain attack remains “still active,” meaning the threat actors retain the ability to push malicious updates through the compromised distribution channel as long as the tainted build continues to be served. Organizations that rely on Daemon Tools for creating virtual drives, forensic imaging, or software distribution may unwittingly execute the backdoor each time the application launches or checks for updates. The persistence of the threat underscores the necessity for continuous monitoring of software integrity, verification of digital signatures, and rapid response mechanisms when a trusted vendor’s supply chain is breached.

Recommendations for Users
Users and administrators should take immediate precautionary steps:

1. Verify the version and hash of any Daemon Tools installation against known good checksums released prior to April 8, if available.
2. Consider temporarily uninstalling Daemon Tools or disabling its automatic update feature until Disc Soft confirms a clean release.
3. Run a full system scan with updated anti‑malware tools, paying particular attention to detection names associated with the backdoor (e.g., Trojan:Win32/DaemonTools.B).
4. Monitor network traffic for unexpected outbound connections to unfamiliar IP addresses or domains, which may indicate C2 communication.
5. Apply application‑whitelisting or endpoint detection and response (EDR) controls to prevent unauthorized executables from running.
6. Stay tuned to official advisories from Disc Soft and Kaspersky for patches or remediation guidance.

Conclusion
The discovery of a backdoor in Daemon Tools highlights how attackers are increasingly exploiting the trust placed in widely used software utilities to conduct precise, high‑impact operations. By compromising a trusted update channel, the threat actors turned a benign disc‑imaging tool into a vector for espionage‑grade malware across multiple sectors and nations. While Disc Soft has pledged an investigation, the absence of a confirmed fix leaves users vulnerable. Vigilance, verification of software integrity, and proactive defensive measures are essential to mitigate the risk posed by this active supply‑chain threat until a secure version is restored.

Note: This summary synthesizes the information provided in the original article and aims to inform readers about the nature, scope, and recommended actions related to the Daemon Tools supply‑chain compromise.