What Happened
Kaspersky researchers identified a supply chain attack targeting DAEMON Tools, a widely used virtual drive and disc imaging utility developed by Disc Soft Limited. Trojanized installer versions 12.5.0.2421 through 12.5.0.2434 were distributed directly from the legitimate DAEMON Tools website between April 8 and early May 2026, signed with valid digital certificates belonging to the software’s developers. The malicious installers dropped a persistent backdoor sending requests to a command-and-control server on every system startup.
Kaspersky observed several thousand infection attempts across more than 100 countries. Targeted secondary payloads were deployed to a much smaller subset of victims — approximately a dozen machines — belonging to organizations in retail, scientific research, government, and manufacturing. The selective deployment pattern indicates a targeted intelligence collection operation operating under broad-reach cover. Kaspersky suspects a Chinese-speaking adversary based on artifact analysis, though no known threat group has been formally attributed. Disc Soft released a clean installer at version 12.6.0.2445.
Why This Matters for Canadian Organizations
DAEMON Tools is used widely across Canadian enterprise and government IT environments, particularly by system administrators, developers, and IT support staff who work with disc images and virtual drives for software deployment, testing, and legacy application management. This attack used a legitimate, signed installer from the official website — standard endpoint defenses verifying publisher certificates would not flag the install as suspicious.
The targeting pattern — government, scientific, and manufacturing organizations — aligns closely with sectors in which Canada has significant exposure: federal departments, Crown corporations, defence contractors, and research institutions. A Chinese-nexus threat actor conducting quiet reconnaissance through a trusted software supply chain is consistent with activity patterns the Canadian Centre for Cyber Security has previously warned Canadian organizations about. Even organizations outside the dozen receiving secondary payloads should treat any installation of affected DAEMON Tools versions as a potential indicator of compromise requiring investigation under PIPEDA’s breach notification obligations if sensitive data was accessible on the affected system.
What to Do
If DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 are installed anywhere in your environment, treat those systems as potentially compromised and conduct a forensic investigation before simply updating. Update to version 12.6.0.2445 or later. Audit startup tasks and scheduled tasks on affected systems for persistence mechanisms referencing unusual executables or network connections. Review network logs for outbound connections to unknown command-and-control infrastructure. Add the affected version range to your software asset inventory and verify removal through endpoint management tooling.
Source: BleepingComputer | The Hacker News
