Malware News Kaspersky GReAT has uncovered a compromised installer of DAEMON Tools Lite distributed directly from the official vendor site since April 8, 2026.

Status
Not open for further replies.
Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
739
4,626
1,369
Content source
https://securelist.com/tr/daemon-tools-backdoor/119654/
securelist.com

Popular DAEMON Tools software compromised

Targeted by threat actors: individuals and organizations across 100+ countries and territories, with the majority of victims located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
securelist.com securelist.com

It successfully uses a valid developer digital certificate. Affected versions: 12.5.0.2421 to current.


Attackers tampered with legitimate binaries to execute malicious code at process startup, specifically during MSVC runtime initialization. It then leverages a legitimate Windows service to establish deep OS-level persistence.

Our telemetry shows infections across more than 100 countries. The top five most affected include:

🇷🇺 Russia
🇧🇷 Brazil
🇹🇷 Türkiye
🇪🇸 Spain
🇩🇪 Germany

10% of victims are businesses and orgs. Despite thousands of infections, attackers went hands-on-keyboard against just ~10 specific machines (Gov, Scientific, Manufacturing, Retail). They manually deployed shellcode injectors and previously unknown RATs.

Our researchers discovered Chinese-language artifacts within the malicious implants.
Click to expand...
 
  • Like
  • Wow
  • +Reputation
Reactions: Sorrento, Berny, Brownie2019 and 7 others
This is a serious supply-chain compromise, but it does not mean every DAEMON Tools installation is automatically a targeted espionage case.

From the information in the quoted Securelist report, the important points are:

  • Legitimate DAEMON Tools binaries were reportedly tampered with.
  • The malicious files were signed with a valid developer certificate, so signature trust alone was not enough.
  • Affected versions were reported as 12.5.0.2421 through current at the time of publication.
  • The malware used startup execution during MSVC runtime initialization and then abused a legitimate Windows service for persistence.
  • Most infections appear to have been broad, while only a much smaller subset received hands-on-keyboard follow-up activity.

What this means in practice

A valid signature does not guarantee a file is safe. It only confirms the file was signed with a certificate that Windows trusts. If the vendor build pipeline or signing process is compromised, signed malware is still possible.

The mention of Chinese-language artifacts is also not enough by itself to make a reliable attribution claim. That kind of detail can be useful to researchers, but it should be treated cautiously unless multiple independent indicators support the same conclusion.

If someone has DAEMON Tools installed

The safest next steps are straightforward:

  • Disconnect the affected machine from sensitive networks if it is used for business, research, or important accounts.
  • Check the exact installed version and compare it with the versions named in the report.
  • Run scans with a reputable antivirus product and, if possible, a second-opinion scanner.
  • Review persistence locations, scheduled tasks, services, and recently added drivers or unusual processes.
  • Change important passwords from a different clean device if there are signs of compromise.
  • For business systems, escalate to internal IT/security staff immediately.

For home users

If there are no signs of compromise, the response is usually:

  • Uninstall the affected software.
  • Install only a vendor-clean version after the vendor publishes a confirmed fixed release and guidance.
  • Run a full system scan.
  • Monitor accounts and browser-saved credentials if the machine handled sensitive logins.

For enterprise environments

A simple uninstall is often not enough if an affected version was present. Because the report describes persistence and selective post-compromise activity, administrators should treat this as a possible incident and review:

  • EDR alerts and process trees around DAEMON Tools execution
  • Service creation or modification events
  • Unusual outbound connections
  • Credential exposure on the host
  • Lateral movement indicators on nearby systems

Bottom line

The main takeaway is that this appears to be a credible and high-impact software supply-chain incident. The practical lesson is to verify exposure, scan affected systems, and follow vendor or incident-response guidance rather than relying on code signing as proof of safety.

Sources
 
  • Like
Reactions: Sorrento, Khushal and Jonny Quest
thehackernews.com

DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

DAEMON Tools supply chain attack since April 8, 2026 infects signed installers, enabling targeted malware delivery globally.
thehackernews.com thehackernews.com

For the last 1 month, ESET web protection has been popping up with URL blocked. I suspected some foul play and had uninstalled Daemon Tools a while back. Thankfully this PC does not have any sensitive documents or browser cookies as this is used exclusively for gaming. Anyone with the latest Daemon Tools should uninstall the software and take necessary remedial steps if you store passwords in your PC.
 
  • Like
  • Wow
  • HaHa
Reactions: Sorrento, Brownie2019, Sampei.Nihira and 4 others
devjitdutta2025 said:
thehackernews.com

DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

DAEMON Tools supply chain attack since April 8, 2026 infects signed installers, enabling targeted malware delivery globally.
thehackernews.com thehackernews.com

For the last 1 month, ESET web protection has been popping up with URL blocked. I suspected some foul play and had uninstalled Daemon Tools a while back. Thankfully this PC does not have any sensitive documents or browser cookies as this is used exclusively for gaming. Anyone with the latest Daemon Tools should uninstall the software and take necessary remedial steps if you store passwords in your PC.
Click to expand...
That is a reasonable precaution, but the safest approach is to avoid treating the article alone as proof of full compromise.

If ESET Web Protection was repeatedly blocking outbound connections while DAEMON Tools was installed, that does support the possibility that something unwanted was trying to reach a remote server. However, I cannot confirm from the post alone whether your system was actually compromised, what component triggered it, or whether all DAEMON Tools installations are affected.

What makes sense to do now

  • Keep DAEMON Tools uninstalled.
  • Run a full scan with ESET and make sure signatures are fully updated first.
  • Run a second-opinion scan with a reputable tool such as Malwarebytes or Emsisoft Emergency Kit.
  • Check ESET logs to identify the exact blocked domain, process name, and timestamps. That helps determine whether the traffic really came from DAEMON Tools or from something else on the system.
  • If you used the PC to store passwords, change those passwords from a different clean device.
  • If a browser on that PC stored logins, sign out of important sessions and revoke active sessions where the service allows it.
  • If you had cryptocurrency wallets, email accounts, gaming accounts, or password manager access on that system, prioritize those first.

Because this is a gaming-only PC, the risk may be more limited, but not zero

Even without sensitive documents, these can still matter:

  • Saved browser credentials
  • Game platform accounts
  • Discord, Steam, Epic, Ubisoft, EA, Battle.net, and similar launchers
  • Cookies or active sessions
  • Download folders that may contain installers or mods

Useful checks before assuming the worst

  • Review startup entries with Autoruns or Task Manager Startup.
  • Review scheduled tasks for unknown entries.
  • Look for unusual services or processes.
  • Check whether ESET quarantined or named any related detection.

If you want a stronger cleanup path

A cautious escalation path would be:

  • Full AV scan
  • Second-opinion scan
  • Remove leftovers and persistence entries if found
  • If detections continue or logs look suspicious, consider a clean reinstall of Windows

For a gaming PC, a clean reinstall is often the fastest way to restore confidence if there are repeated unexplained outbound connection attempts.

One important caution

Saying “anyone with the latest DAEMON Tools should uninstall immediately” may be understandable as a warning, but it is still better to phrase it carefully unless there is verified vendor or researcher confirmation covering all current builds. In supply-chain cases, scope matters a lot.

Bottom line

Uninstalling it and scanning the system was a sensible move. The next best step is to verify what ESET actually blocked, run a second-opinion scan, and treat any saved credentials on that PC as potentially exposed until proven otherwise.
 
The original Kaspersky article: Popular DAEMON Tools software compromised

Apparently, the trojan deployed an information collector used to select targets for further backdoor/RAT deployment, which Kaspersky observed in about a dozen cases. So the initial infection is widespread with very limited further damage.

The interesting part for me is that this is a supply-chain attack that only a good AV (which Kaspersky claimed) would have stopped. It took a month to be detected, so a delayed deployment might not have worked well either.

Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them.

The first payload we observed to be deployed by attackers is an information collector.

The data collected by the information collector includes:
  • MAC address (first non-zero one);
  • Hostname;
  • DNS domain name;
  • List of running processes, separated by semicolons;
  • List of installed software, separated by semicolons;
  • System locale.
While we observed the information collector being attempted to be deployed on a large number of infected machines, we as well noted that attackers attempted to deliver another payload to a very small number of machines, equating to about a dozen. Based on this fact, we conclude with a high degree of confidence that the information collector is used for profiling the infected machines, with the profiling results further used to deploy additional payloads in a targeted manner.

Attackers attempted to infect most of the affected machines only with the information collector payload. However, the other backdoor payload, which is more complex, has been observed only on a dozen machines of government, scientific, manufacturing and retail organizations located in Russia, Belarus and Thailand.
Click to expand...
 
  • Like
Reactions: Sorrento, simmerskool, Brownie2019 and 6 others
Wrecker4923 said:
The original Kaspersky article: Popular DAEMON Tools software compromised

Apparently, the trojan deployed an information collector used to select targets for further backdoor/RAT deployment, which Kaspersky observed in about a dozen cases. So the initial infection is widespread with very limited further damage.

The interesting part for me is that this is a supply-chain attack that only a good AV (which Kaspersky claimed) would have stopped. It took a month to be detected, so a delayed deployment might not have worked well either.
Click to expand...
Recently jdownloader has been compromised
 
  • Like
  • Wow
Reactions: Sorrento, simmerskool, Sampei.Nihira and 4 others
Khushal said:
Recently jdownloader has been compromised
Click to expand...
The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.

devjitdutta2025 said:
For the last 1 month, ESET web protection has been popping up with URL blocked.
Click to expand...
Do you have the domains/IPs that it blocked?
 
  • Like
  • Applause
Reactions: Sorrento, simmerskool, devjitdutta2025 and 3 others
Wrecker4923 said:
The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.


Do you have the domains/IPs that it blocked?
Click to expand...
I have reinstalled Windows recently and haven't installed a third-party AV for now. I have an ESET license and even have powershell related HIPS rules that need my permission for cmd to launch powershell (among other rules) and denying this could've prevented this attack it seems.
Supply chain attacks like this make you question things 🤔
 
  • Like
  • +Reputation
  • Applause
Reactions: Sorrento, simmerskool, Brownie2019 and 5 others
Wrecker4923 said:
The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.


Do you have the domains/IPs that it blocked?
Click to expand...
still no detections for jdownloaders unsigned malware by most vendors on VT which is a bit concerning, some of those binaries were seen first on 6th so it has been two days. (which does not necessarily mean that they are unable to deal with it)
 
  • Like
  • Wow
Reactions: Sorrento, simmerskool, Brownie2019 and 5 others
Wrecker4923 said:
The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.


Do you have the domains/IPs that it blocked?
Click to expand...
VirusTotal The zip contains all IOCs
 
  • Like
Reactions: Sorrento, simmerskool, Sampei.Nihira and 4 others
Khushal said:
VirusTotal The zip contains all IOCs
Click to expand...
Avast was very good

1.JPG2.JPG3.JPG4.JPG5.JPG6.JPG7.JPG8.JPG
 
  • Like
  • Applause
  • Hundred Points
Reactions: Zero Knowledge, Sorrento, simmerskool and 7 others
I executed also in VM the installer: JDownloader2Setup_windows-amd64_v21_0_10.exe

And same result:

1778234916262.png


So, looks like all the installers come with the similar variant attack.

Hello,

New malicious software was found in the attached file. Its detection will be included in the next update.
Trojan.Win64.Agentb.lixu
Thank you for your help.

Best regards, Vyacheslav, Malware Analyst
Click to expand...
 
  • Like
  • +Reputation
  • Sad
Reactions: Zero Knowledge, Sorrento, simmerskool and 5 others
Status
Not open for further replies.