Cybersecurity researchers at Kaspersky have uncovered a large-scale supply chain attack involving the popular Windows disk imaging software Daemon Tools, where attackers allegedly implanted a malicious backdoor into official installers distributed through the software’s legitimate website. The company believes the operation is linked to a Chinese-speaking threat actor.
According to researchers, the compromised installers have been circulating since April 8, 2026, and affect multiple versions of the software, including releases from version 12.5.0.2421 onward. The malicious installers were reportedly signed using valid digital certificates belonging to AVB Disc Soft, the developer of Daemon Tools, allowing the malware to appear authentic and bypass common security warnings.
The attack is considered particularly dangerous because Daemon Tools requires elevated system permissions to emulate virtual drives. By exploiting this trusted access, attackers were able to establish deep persistence within infected systems and deploy remote-control malware capable of executing commands and downloading additional payloads.
Kaspersky stated that telemetry data indicates thousands of infection attempts globally, with confirmed compromises affecting organizations across sectors including retail, industrial operations, scientific institutions, and government environments. Researchers said the attackers selectively deployed advanced malware on a subset of infected systems, suggesting a targeted espionage-oriented campaign rather than indiscriminate malware distribution.
The cybersecurity firm has notified AVB Disc Soft about the incident, though reports indicate the attack remained active at the time of disclosure. The company behind Daemon Tools acknowledged awareness of the report and said it was investigating the issue while working to mitigate risks for users.
The incident highlights the growing threat of software supply chain attacks, where attackers compromise trusted software distribution channels to infiltrate downstream systems at scale. Security experts warn that such attacks are becoming increasingly common as threat actors target software vendors and developer ecosystems to maximize reach and evade detection.
