Kaspersky Detects Active Chinese-Linked Backdoor in Daemon Tools Affecting Thousands of Windows PCs

*TL;DR: Kaspersky discovered a Chinese‑linked backdoor in Daemon Tools on April 8; the active supply‑chain attack is compromising thousands of Windows computers worldwide.*

Context

Daemon Tools, a long‑standing Windows disc imaging utility, distributes updates through its own website. Supply‑chain attacks embed malicious code in legitimate software updates, allowing threat actors to reach every user who installs the update. Recent months have seen similar compromises of Notepad++ and CPUID tools.

Key Facts

- Kaspersky’s telemetry from its antivirus base flagged a malicious component in Daemon Tools installers on April 8. The code functions as a backdoor, enabling remote command execution. - Analysis attributes the malware to a Chinese‑language speaking group based on code signatures and command‑and‑control infrastructure. - Infections span at least a dozen systems in retail, scientific, manufacturing, and government sectors across Russia, Belarus and Thailand, indicating targeted follow‑on attacks after the initial backdoor placement. - Disc Soft, the developer of Daemon Tools, confirmed awareness and is investigating, but has not disclosed remediation details. - VirusTotal scans of the current Windows installer show the backdoor payload, while the macOS version and other Disc Soft products remain unverified.

What It Means

The active backdoor means threat actors can still push additional malware to any Daemon Tools user who receives a compromised update. Because Daemon Tools runs with elevated privileges to mount virtual drives, the malicious code can gain system‑level access, matching MITRE ATT&CK technique T1059 (Command‑Line Interface) and T1105 (Ingress Tool Transfer). Organizations that rely on Daemon Tools for imaging or software distribution should treat the compromise as a high‑severity supply‑chain risk.

Mitigations

- Immediately uninstall Daemon Tools from all endpoints unless the software is essential. - If removal is not feasible, revert to a known clean version from a trusted archive and apply any patches released by Disc Soft. - Deploy Kaspersky or equivalent endpoint detection to scan for the specific backdoor signature; update AV definitions daily. - Block outbound traffic to the identified command‑and‑control domains listed in Kaspersky’s advisory. - Monitor Windows Event Logs for unusual process creation under `dtc.exe` (the Daemon Tools executable) and for new services being installed without approval. - Conduct a network‑wide inventory of machines with Daemon Tools installed and prioritize remediation on systems handling sensitive data.

Looking Ahead

Watch for Disc Soft’s official patch and any additional indicators of compromise released by Kaspersky as the threat actor continues to exploit the supply chain.