Kasperky warns popular Daemon Tools app backdoored by hackers to target specific victims

A two-stage process targets government, science, and retail

News By Sead Fadilpašić published 6 May 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Attackers poisoned DAEMON Tools downloads with malware, infecting thousands worldwide
• The campaign deployed an infostealer first, followed by a selective backdoor on targeted machines
• Researchers suspect Chinese actors, noting the attack’s precision against government and industry systems

DAEMON Tools, a popular program used to create and use virtual drives on a computer, was poisoned to deliver dangerous backdoor to thousands of users, experts have warned.

Security researchers Kaspersky published a new report outlining how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added multiple new versions of the software, 12.5.0.2421 through 12.5.0.2434 - for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.

When installed, these versions deployed multiple malware variants. First, the victim gets infected with a basic infostealer that grabs system data (hostname, MAC address, running processes, installed software, and system locale), and relays it to the attackers. Then, based on the information returned, the malware moves to stage two, deploying a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.

Article continues below

Highly targeted attack

DAEMON Tools was extremely popular in the early 2000s, but even today it is considered to be widely used.

Kaspersky noted how just among its own customers, it has seen “several thousands of infection attempts” from early April, with victims located all around the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Kaspersky also noted that this seems to be a highly targeted attack. The threat actors cannot choose who gets infected with the infostealer, since it’s hosted on DAEMON Tools’ website. Stage two, however, was only seen on a dozen machines belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand.

“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.”

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors