Monday 06 July 2026 09:15:11 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Intelligence & Threat Trends

Backdoored at Startup: Daemon Tools Software Breach Puts Governments and Scientists in the Crosshairs

Published: 06 May 2026 11:01Category: Cyber Intelligence & Threat TrendsGeo: EuropeAuthor: LOGICFALCON

A stealthy supply chain attack on Daemon Tools exposes governments, scientific institutions, and global businesses to espionage and malware.

When trusted software turns traitor, even the most secure organizations can be blindsided. That’s the chilling reality facing governments and scientific entities worldwide after attackers hijacked the supply chain of Daemon Tools, a popular disk imaging utility. With a single software update, thousands of machines-some within sensitive institutions-were quietly compromised, their defenses undone by code hiding in plain sight.

The Anatomy of a Supply Chain Betrayal

Cybersecurity firm Kaspersky uncovered the breach after noticing unusual activity in Daemon Tools installations worldwide. The attackers, believed to be Chinese-speaking, infiltrated the software’s development pipeline and injected malicious code into three critical binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. All were digitally signed with legitimate certificates from AVB Disc Soft, the company behind Daemon Tools-making the tampering nearly invisible to users and many security tools.

Each time a compromised computer booted up, the backdoor activated, reaching out to a typosquatting domain registered just weeks before the attack began. It awaited instructions from the attackers’ server, which issued shell commands designed to further compromise the system and deploy information-gathering malware.

While the initial infection cast a wide net-impacting thousands of machines across industries and continents-the attackers exercised restraint. They handpicked a small subset of government, research, manufacturing, and retail organizations for deeper exploitation, deploying a minimalistic second backdoor. In one case, a Russian educational institution was targeted with the advanced QUIC RAT malware, suggesting a calculated, intelligence-driven operation.

The Bigger Picture: Supply Chain Risks Escalate

This incident is a stark reminder of the growing sophistication and selectivity of supply chain attacks. By compromising trusted software at its source, adversaries can bypass even robust perimeter defenses, gaining privileged access to sensitive systems. The use of authentic digital certificates and the attackers’ focus on high-value targets highlight the need for continuous vigilance-not just against external threats, but within the very tools organizations rely on daily.

Conclusion

With the Daemon Tools attack still active and its full impact uncertain, organizations are left questioning the integrity of their software supply chains. As attackers grow more adept at hiding in plain sight, the line between trusted utility and threat vector continues to blur. The enduring lesson: in cybersecurity, trust must always be verified-and sometimes, even that isn’t enough.

WIKICROOK

  • Supply Chain Attack: A supply chain attack is a cyberattack that compromises trusted software or hardware providers, spreading malware or vulnerabilities to many organizations at once.
  • Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
  • Typosquatting Domain: A typosquatting domain is a fake website address resembling a real one, used to mislead users and often involved in phishing or fraud.
  • Digital Certificate: A digital certificate is an electronic document that verifies the identity of websites or programs, helping ensure secure and trusted online communication.
  • QUIC RAT: QUIC RAT is a remote access trojan that uses the QUIC protocol for covert control and data theft on compromised devices, evading standard detection.