DAEMON Tools shipped a signed backdoor for almost a month. Kaspersky says one school in Russia got the second stage.

Kaspersky disclosed on May 5, 2026 that the official DAEMON Tools installer was trojanized for nearly a month. The compromise dates back to April 8 and rode on legitimate AVB Disc Soft code-signing. Thousands of machines in roughly 100 countries pulled the malicious build before anyone caught it.

A signed installer from a vendor’s own domain bypasses every layer of consumer-grade defense. SmartScreen trusts the cert, EDR baselines assume the publisher is benign, and the average user clicks through with no friction. That’s the failure mode this story exposes. The interesting twist is the targeting: thousands of stage-one infections worldwide, but only a dozen hosts ever received the heavier QUIC RAT payload. The campaign behaves like a wide-net dragnet attached to a sniper rifle, which is rare in supply-chain attacks of this profile and worth paying attention to.

What we know

Versions 12.5.0.2421 through 12.5.0.2434 of the DAEMON Tools installer shipped a first-stage information stealer hidden inside DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, per Kaspersky’s writeup. The binaries were signed by AVB Disc Soft’s legitimate certificate.

• Timeline. The malicious build went live April 8 and stayed up for “almost a month” per Kaspersky’s count. BleepingComputer reports the malicious package was still on the official download page as of publication.
• Stage one. The stealer sends host metadata, hostname, MAC, running process list, installed software, locale, to a C2. The server decides whether the host is interesting.
• Stage two: QUIC RAT. Selected targets receive a more capable implant that supports multiple C2 transports including QUIC, and injects payloads into notepad.exe and conhost.exe. Kaspersky has only tied QUIC RAT to one organization so far: an educational institution in Russia.
• Geographic spread. Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China lead the stage-one infection count. About a hundred countries total.
• Attribution. Strings inside the stage-one payload point to Chinese-speaking operators, per Kaspersky. The firm describes the attack as targeted despite the wide stage-one footprint. Kaspersky’s writeup puts the call to action plainly: “Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had DAEMON Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8.”

The stealer’s profile-and-promote design is the defining detail. Most supply-chain attacks of the past year, Trivy, PyTorch Lightning, and the npm worms before them, treated every infection as a target. This one filters.

What we don’t know

Disc Soft hasn’t responded publicly. BleepingComputer says the company didn’t reply to requests for comment. The vendor’s signing cert was active and trusted while the malicious binaries were live, which raises the immediate operational question: was the signing key stolen, was the build pipeline compromised, or did an attacker push trojanized source through a maintainer account?

Kaspersky also hasn’t confirmed which subset of installer downloads from the official site routed to the malicious build versus a clean one. A clean version exists in the wild from the same numeric version range, suggesting either A/B routing or a partial-mirror compromise.

The QUIC RAT capability list is partially published. Kaspersky’s blog post details the multi-protocol C2 and the injection targets but holds back on full IOC sets pending coordination with affected organizations.

Source attribution

The technical report is Kaspersky’s Securelist writeup. BleepingComputer’s reporting added the lack-of-vendor-response note and the still-live status. TechCrunch carried the Chinese-speaking attribution and the single-organization QUIC RAT confirmation.

What this means for you

If you have DAEMON Tools installed on any Windows machine, consider it suspect until you’ve verified the version. Anything in the 12.5.0.2421 through 12.5.0.2434 range that landed on a host on or after April 8 is presumed compromised. Pull the SHA-256 of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe and compare against Kaspersky’s IOC list. Reinstall from a clean source if any match.

For corporate defenders, the lesson the QUIC RAT story drives home is that signed-binary trust is conditional, not absolute. The 12-host targeting list means most enterprises will only see the stage-one beacon. Hunt for outbound traffic from DTHelper.exe to non-Disc-Soft domains over the past four weeks. Stage-two activity warrants full host triage, not just file replacement, since QUIC RAT injects into legitimate processes and persists across uninstall.

Disc Soft hasn’t published a clean rebuild path yet. Until they do, treat the official download page as untrusted.