Kasperky warns popular Daemon Tools app backdoored by hackers to target specific victims

Security researchers Kaspersky published a new report outlining how someone broke into the website hosting DAEMON Tools around April 8, 2026. They added multiple new versions of the software, 12.5.0.2421 through 12.5.0.2434 - for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries.

When installed, these versions deployed multiple malware variants. First, the victim gets infected with a basic infostealer that grabs system data (hostname, MAC address, running processes, installed software, and system locale), and relays it to the attackers. Then, based on the information returned, the malware moves to stage two, deploying a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.

Highly targeted attack

DAEMON Tools was extremely popular in the early 2000s, but even today it is considered to be widely used.

Kaspersky noted how just among its own customers, it has seen “several thousands of infection attempts” from early April, with victims located all around the world, in more than 100 countries and territories, with the majority in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Kaspersky also noted that this seems to be a highly targeted attack. The threat actors cannot choose who gets infected with the infostealer, since it’s hosted on DAEMON Tools’ website. Stage two, however, was only seen on a dozen machines belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand.

“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.”

Kaspersky could not determine the identity of the attackers but believes they are Chinese.

Via BleepingComputer