www.it-connect.fr
DAEMON Tools Official Installers Spreading Malware to Thousands of PCs
The well-known DAEMON Tools software is affected by a security incident: since April 2026, official Windows installers hosted on the vendor’s legitimate website have been distributing malware without users’ knowledge. Here’s what we know.
DAEMON Tools is a solution for creating and mounting images on your Windows or Mac machine, especially ISO files. Writing this article brings back memories... I used it dozens of times. This software was so convenient, until Windows became able to mount disk images natively. Unfortunately, it is now at the center of a security incident, following those that affected CPUID and Notepad++.
Legitimate DAEMON Tools Versions Infected
According to the recent findings from Kaspersky cybersecurity researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin, DAEMON Tools installers have been infected with malware since April 8, 2026. This attack directly targets the Windows version, more specifically versions 12.5.0.2421 through 12.5.0.2434. The Mac version of the software is not affected by this incident.
This appears to be a new supply-chain attack, as the attackers managed to inject malicious code into legitimate DAEMON Tools releases. In other words, the malicious code is contained in signed versions available through the official website.
As Kaspersky explains: "These installers are distributed from the legitimate DAEMON Tools website and are signed with digital certificates belonging to the DAEMON Tools developers".
The researchers’ analysis shows that three binaries shipped with the software are compromised:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
They are stored in the DAEMON Tools installation directory (Lite or Ultra). For example: C:\Program Files\DAEMON Tools Lite. When the application is launched (often automatically at system startup), an HTTP communication is established with a server controlled by the attackers and associated with the domain "env-check.daemontools[.]cc", a malicious domain registered on March 27, 2026.
The goal? To execute commands on the infected machine. "In response to the requests sent, the server can return a shell command to be executed via the cmd.exe process.", the researchers explain. This method was used to launch PowerShell commands on the machine, notably to collect information about the local environment (hostname, MAC address, list of installed software, etc.).
A Worldwide Infection
Kaspersky telemetry data shows several thousand infection attempts spread across more than 100 countries, including France, Germany, Spain, Russia, Brazil, Italy, and China. In each case, there was this information-gathering phase, which appears to be systematic.
What is not systematic is the second stage: deploying the backdoor, especially a remote access Trojan (RAT) called QUIC RAT. In fact, Kaspersky explains that it was deployed on only a few machines, suggesting that the targets were then selected. These include organizations in the retail, science, utilities, and some government sectors. In every case, the targets would be located in Russia, Belarus, and Thailand.
"While we observed the information collector being deployed on a large number of infected machines, we also noticed that the attackers had attempted to inject another payload onto a very small number of machines, around a dozen in total.", we can read.
At this stage, no attribution to a known hacker group has been established. For its part, the software vendor, AVB Disc Soft, was notified by Kaspersky following the detection of this malicious activity. According to The Hacker News, the DAEMON Tools vendor is currently investigating following Kaspersky’s reports. However, there is no indication that the cleanup has been completed, so it is best not to download this tool for the time being.
