If you installed DAEMON Tools Lite between April 8 and May 5, 2026, your machine may be running a backdoor signed with a valid developer certificate. Kaspersky's Global Research and Analysis Team published primary research on May 6 confirming an ongoing supply chain attack against the official DAEMON Tools website. This is not a typosquat or phishing campaign. The official installer, served from the official domain, was replaced with a backdoored version.
What happened
Kaspersky GReAT identified that versions 12.5.0.2421 through 12.5.0.2434 of DAEMON Tools Lite contained malicious modifications to three files installed in the main DAEMON Tools directory: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The malicious versions were signed with a valid developer digital certificate, allowing them to pass routine signature-based security checks on download.
The malware's first action is to send an HTTP GET request to env-check.daemontools[.]cc, a domain the attacker registered on March 27, 2026, two weeks before the first compromised installer appeared. The C2 responds with a shell command, which the malware executes via cmd.exe. That command downloads and runs the next stage of the payload chain.
DAEMON Tools Lite 12.6, released May 5, 2026, does not contain the backdoored files.
Scale and targeting
Kaspersky detected thousands of infection attempts spanning over 100 countries. The vast majority of affected devices belonged to home users, consistent with DAEMON Tools' primary use case as a consumer virtual drive utility. However, approximately 10% of infection attempts occurred on organizational systems. Kaspersky confirmed actual backdoor infections on a subset of machines in government, scientific, and manufacturing organizations in Russia, Belarus, and Thailand.
The attacker used DAEMON Tools as a wide-net initial access mechanism. The small percentage of enterprise hits is the intended value: at thousands of installations, even a 10% enterprise rate means hundreds of potentially compromised organizational endpoints.
Attribution
Kaspersky attributes this campaign to a Chinese-speaking actor based on language artifacts found in the malicious implants. This attribution is tentative, based on code and string analysis rather than infrastructure overlap with a confirmed named group. Kaspersky has not named a specific APT cluster.
The targeting profile (government, scientific, manufacturing) and the use of a valid certificate for supply chain concealment are consistent with Chinese state-aligned APT tradecraft, but consistent with is not the same as confirmed.
What to do if you installed in the affected window
The remediation guidance here is deliberate: AV removal is not enough. The multi-stage payload chain means that by the time stage one ran, additional persistent components may have been installed that a standard scan will not reliably detect.
For any host that installed DAEMON Tools Lite between April 8 and May 5, 2026: reimage the host. If reimaging is not immediately feasible, quarantine the host from the network, collect forensic memory and disk images before any remediation, and run a full behavioral analysis of the three listed files.
IOC: C2 domain env-check.daemontools[.]cc. Do not allow DNS resolution of this domain on your network. The full IOC list, certificate serial number, and behavioral analysis are in the Kaspersky Securelist writeup (https://securelist.com/tr/daemon-tools-backdoor/119654/).
The broader pattern
This is the fourth confirmed supply chain attack via official software distribution channels in 2026: eScan in January, Notepad++ in February, CPUID in April, and now DAEMON Tools in May. The attacker's method (compromising the hosting or build process, using a legitimate certificate, serving malicious code from the official domain) is the same across all four. Standard user guidance to download only from official sources no longer applies when the official source is compromised.
The structural problem: consumer utility software often ships signed binaries from small development teams without the continuous monitoring and build integrity controls that larger enterprise software vendors apply. An attacker who can compromise the hosting environment or build pipeline gets a propagation channel that looks identical to the legitimate product.
Verify your software build pipelines. Pin to exact version hashes. Monitor network egress from installed system utilities.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization needs help evaluating software supply chain exposure or responding to a suspected compromise.