Malware News Kaspersky GReAT has uncovered a compromised installer of DAEMON Tools Lite distributed directly from the official vendor site since April 8, 2026.

[harlan4096]

Detections for installers:

JDownloader2Setup_windows-amd64_v21_0_10.exe

JDownloader2Setup_windows-amd64_v1_8_0_482.exe

The spawned exe in \Temp folder is detected some minutes after the installation.

 

[devjitdutta2025]

I have reinstalled Windows recently and haven't installed a third-party AV for now. I have an ESET license and even have powershell related HIPS rules that need my permission for cmd to launch powershell (among other rules) and denying this could've prevented this attack it seems.
Supply chain attacks like this make you question things

Exactly when legitimate softwares are compromised then it becomes a risk to the entire ecosystem and lately there have been many instances of legit softwares being compromised.

The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.


Do you have the domains/IPs that it blocked?

I’ll look into the logs when I get back home from work and will post it here.

I remember mounting pirated games back in the day with this software? Is that still the case? Can't understand the user case since you can mount ISO in explorer.

I mainly have it installed as a backup. There are some older retro games(road rash, nfs 3 hot pursuit, knight rider)which I use on my PC and SAC blocks these ISO’s when running from explorer. Mounting these ISO’s from Daemon Tools Lite solves this issue.

 

[Parkinsond]

VirusTotal

VirusTotal

www.virustotal.com

 

[Khushal]

VirusTotal

VirusTotal

www.virustotal.com

View attachment 297577

Finally Avast detects it! Obviously when it was first reported only K detected it!

 

[Parkinsond]

Finally Avast detects it! Obviously when it was first reported only K detected it!

Avast is not on the VT list!

 

[Khushal]

Avast is not on the VT list!

check again!

 

[devjitdutta2025]

The DAEMON-trojaned downloads were signed with the developer's own certificate. They’re more thoroughly pawned than JDownloader’s, whose trojaned builds apparently weren’t signed (wherever they are supposed to be), and MD seemed to block it for some but not all.

The DAEMON one was scarier. It’s a compelling reason to buy Kaspersky or ESET. K didn't attribute the actor yet, but it may have been an APT since the targets were so specific.


Do you have the domains/IPs that it blocked?

 

[Parkinsond]

check again!

Added later; timeline matters; who catches first.

 

[Khushal]

Do you have the domains/IPs that it blocked?

would love to see the date range as well when eset thinks it was malware! @devjitdutta2025

 

[devjitdutta2025]

would love to see the date range as well when eset thinks it was malware! @devjitdutta2025

Started on 7th May and I uninstalled DTL soon after since I got fed up of the warning appearing repeatedly and randomly.

 

[Wrecker4923]

Started on 7th May and I uninstalled DTL soon after since I got fed up of the warning appearing repeatedly and randomly.

That’s after K’s report on the 5th, though. Although most (or all) of K’s samples were submitted near the signature dates (the beginning of April) and the “First seen in the wild” entries are on May 5th (signal from K?), two samples date back to the end of April.

• VirusTotal
• VirusTotal

So maybe ESET didn’t catch this early either? (K claimed they did.)

ps: Maybe I'm getting all twisted by these APTs. Notepad++ and this one seem highly targeted anyway; I wouldn't be a target by profiling for sure.