A supply-chain attack distributed trojanised installers from the official website of virtual drive utility Daemon Tools.

According to Techzin and other outlets, Kaspersky’s Global Research and Analysis Team (GReAT) said the malicious installers were distributed directly via Daemon Tools’ official vendor website from May 8 local time and went undetected for about a month. Affected Daemon Tools versions ranged from 12.5.0.2421 to 12.5.0.2434.

Three core executable files were tampered with, activating a backdoor each time a device started. Because virtual drive utilities are typically granted high-level administrator privileges, the malware was able to embed itself deep in the operating system.

Kaspersky said it recorded thousands of infection attempts in more than 100 countries. It said 10 percent of affected systems belonged to companies. Most systems received only an information-stealing payload that collects data including MAC addresses, hostnames, running processes, installed software and language settings.

Attackers manually deployed a shellcode injector and previously unknown remote access tools (RATs) to more than 10 devices at organisations in Russia, Belarus and Thailand in the retail, science, government and manufacturing sectors.

Georgy Kucherin (게오르기 쿠체린), a senior security researcher at Kaspersky, said, "Because users implicitly trust digitally signed software downloaded directly from an official vendor, these attacks bypass traditional perimeter defences." Kaspersky said the incident, similar to the 3CX supply-chain attack in 2023, went undetected for about a month.

The Daemon Tools case is the fourth supply-chain breach Kaspersky has identified in 2026 alone. Based on Kaspersky telemetry, the number of malicious packages found in open-source projects stood at about 19,500 as of the end of 2025, up 37 percent from a year earlier.

Daemon Tools developer AVB Disc Soft has already been notified about the malware. Kaspersky said it is detecting the tainted installation files and blocking their execution. It recommended isolating devices that have installed Daemon Tools and checking for abnormal activity after May 8.