DAEMON Tools installers trojanized since April 8, backdoor hits thousands worldwide

Kaspersky has flagged an ongoing supply-chain compromise of DAEMON Tools, the Windows virtual-drive utility, with digitally signed installers distributed from the official website carrying malicious code since April 8. Affected versions span 12.5.0.2421 through 12.5.0.2434, with tampering localized to DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Infections reached thousands of machines across more than 100 countries, but the operators were selective: only roughly a dozen systems received follow-on payloads.

The first stage is a profiler that exfiltrates hostname, MAC, processes, installed software, and locale. High-value targets — retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand — were promoted to a lightweight backdoor capable of in-memory execution and file delivery. At least one Russian educational institute received QUIC RAT, a more capable strain with multi-protocol C2 and process injection. Strings in the first-stage binary suggest a Chinese-speaking operator.

The attack went undetected for nearly a month, fitting a pattern of trusted-publisher compromises seen this year against eScan, Notepad++, and CPU-Z. Organizations running DAEMON Tools should treat any host that updated on or after April 8 as suspect and hunt for persistence and outbound C2 from those binaries.