A recent report by Kaspersky confirms what cyber security teams already feared: the attackers committed official DAEMON Tools installers and, since April 8, distributed digitally signed software that included a first stage malware capable of installing a back door and filtering information from the machines concerned. The campaign is a classic example of a supply chain attack: confidence exploited in a legitimate installer to get massive access and, in some cases, access to high-value targets.
According to Kaspersky, the affected versions include specific numbers of branch 12.5 (from 12.5.0.2421 to 12.5.0.2434) and the compromised libraries were executable as DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe. The first module acts as a "info stealer" that collects data such as equipment name, MAC address, running processes and software installed to enable attackers to profile victims. On that basis, in just a dozen environments a second stage - light but powerful - was deployed capable of running commands, downloading additional loads and running code directly in memory; in at least one case the presence of the sophisticated QUIC RAT was observed.
The distribution by signed installers and persistence evades many initial detections: the digital signature gives a legitimate appearance that reduces the alarms of users and administrators, and the selective sampling of subsequent loads turns most infections into simple sensors that help to choose objectives of interest. That is why it is relevant that, although thousands of machines in more than 100 countries received the compromised installation, Only a few were targeted by the second stage, which suggests an interest in specific targets such as retail, educational, scientific and manufacturing organizations in countries such as Russia, Belarus and Thailand.
The practical implications are clear: any organization that has downloaded DAEMON Tools from the official site around those dates should take risk and act. The nature of the vector - utility software with legitimate use - shows that prevention cannot depend only on checking signatures or blocking applications by name; it requires detection controls, minimum exposure policies and rapid response processes.
If you are an administrator or a security officer, start with quickly identify the hosts that installed DAEMON Tools in or after 8 April and examine abnormal activity: unknown outgoing connections, unusual processes, execution in memory without associated file and changes in persistence. Obtain and implement the IoC and technical recommendations published by the Kaspersky and other sources analysis, and consider the immediate containment of suspicious equipment to avoid side movements and exfiltration.
In addition to isolating committed equipment, rotate credentials that may have been used in such machines, revoke certificates if necessary and perform forensic analysis with EDR or tools that support memory detection. To reduce false negatives, support research with public YARA / IOCs rules and network solutions that detect C2 patterns and abnormal downloads; also make sure the backups are complete before restoring systems.
For users and small organizations: if you need DAEMON Tools, download a verified copy from alternative channels recognized by the developing company (and check sums / signatures), or remove the application and replace functionality with more modern alternatives where possible. If you do not use virtual image mounted regularly, Uninstall the software and review the machine with an updated antivirus and memory detection tools.
This episode fits a broader trend: the almost monthly emergence of gaps in software supply chains this year shows that confidence in a legitimate package is no longer sufficient. Organizations should require their practical suppliers to publish SBOM, strict monitoring of the building process, rotation and protection of signature keys, and the adoption of frameworks such as SLSA to enhance the safety of the software life cycle. For practical guidance on risk management in the supply chain, see public resources such as those published by CISA: https: / / www.cisa.gov / supply-chain-risk-management.
For technical details and list of commitment indicators, Kaspersky analysis is a useful starting point: Kaspersky - DAEMON Tools backdoor. Response teams should collect local artifacts, compare with known IoC and coordinate notifications to suppliers and, where appropriate, regulatory authorities to meet incident reporting requirements.
In short, this incident reinforces two lessons that are already mandatory for modern cyberdefence: the trust in signed software is not absolute guarantee and the defense in depth is essential. Organizations that apply continuous software inventory, network segmentation, performance monitoring and well-tested response procedures will significantly reduce the impact of future commitments to the supply chain.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...