A supply chain attack was discovered by Kaspersky involving DAEMON Tools software installers that were trojanized with malicious code signed by the legitimate developer's digital signature. The infected installers have been circulating since April 8, 2026, affecting versions 12.5.0.2421 to 12.5.0.2434. The malware installs a persistent Trojan that contacts a command-and-control server to receive commands and download additional payloads. Initial payloads collect system information such as MAC address, hostname, DNS domain, running processes, installed software, and language settings. Based on this data, a backdoor may be deployed capable of executing shell commands and loading further modules in memory. This backdoor can then deploy a more sophisticated RAT named QUIC RAT, which supports multiple communication protocols and can inject payloads into legitimate system processes. The attack has targeted thousands of users globally, with a minority of infections in organizational environments, including government and scientific institutions. The compromised files include DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The attack remains active as of the last report.

The attack compromises the integrity of DAEMON Tools installers, leading to the installation of persistent malware that can gather sensitive system information and enable remote control via a backdoor and advanced RAT. This allows attackers to execute arbitrary commands, deploy additional malicious payloads, and potentially maintain long-term access to infected systems. The infection affects both home users and organizations, including government and scientific sectors, increasing the risk of espionage or data theft. The widespread geographic distribution includes Russia, Brazil, Turkey, Spain, Germany, France, Italy, China, Belarus, and Thailand. The attack undermines trust in the software supply chain and poses a significant risk to affected users.

At the time of reporting, no official patch or remediation from the vendor is indicated. Users and organizations using DAEMON Tools should thoroughly check systems for unusual activity starting from April 8, 2026. Employing reliable security solutions is recommended, as Kaspersky's products have been effective in detecting and blocking the malware involved in this supply chain attack. Users should avoid installing or reinstalling affected versions (12.5.0.2421 to 12.5.0.2434) until the vendor provides an official fix or advisory. Monitoring for indicators of compromise as detailed in the Kaspersky report is advised. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.