Chinese-speaking threat actors conducted a supply chain attack by injecting malicious code into Daemon Tools versions 12.5.0.2421 to 12.5.0.2434, distributed via the official website. The compromised binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) were signed with legitimate certificates and contained a backdoor activated at system startup. This backdoor communicated with a typosquatting domain to receive commands and deploy an information collector on thousands of machines across over 100 countries. Using collected data, attackers selectively infected about a dozen high-value targets in Belarus, Russia, and Thailand with a minimalistic backdoor and deployed the QUIC RAT malware on a Russian educational institution. The attack demonstrates a targeted, multi-stage approach leveraging supply chain compromise and signed binaries to evade detection.

The attack compromised the integrity of Daemon Tools software, leading to widespread infection with an information-stealing backdoor on thousands of machines globally. Approximately 10% of infected systems belong to businesses and organizations. A small subset of high-value targets in government, scientific, manufacturing, and retail sectors were further compromised with a more advanced backdoor and additional malware, including QUIC RAT. This could enable espionage or targeted disruption. The use of signed binaries and legitimate distribution channels increases the risk of undetected compromise. No direct evidence of exploitation beyond infection and malware deployment is reported.

No official patch or remediation guidance has been provided by AVB Disc Soft as of the current information. The vendor has been notified of the compromise. Organizations using Daemon Tools versions 12.5.0.2421 to 12.5.0.2434 should consider discontinuing use until official guidance or updates are released. Monitoring for unusual network activity related to typosquatting domains and command execution may help detect compromise. Given the supply chain nature of the attack, verifying software integrity and using alternative trusted sources for installation is recommended. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.