Kaspersky Finds Active Chinese-Linked Backdoor in Daemon Tools Since April

Daemon Tools, a widely used Windows utility for creating virtual drives, was found to contain a malicious backdoor by Kaspersky researchers. Telemetry from Kaspersky antivirus shows a widespread infection affecting thousands of Windows hosts globally. The backdoor enables threat actors to execute arbitrary code on compromised systems, which they have used to install further malware on a dozen machines in retail, scientific, manufacturing, and government sectors.

- First detection: April 8, 2024. - Attribution: Kaspersky links the activity to a Chinese‑language speaking group based on malware code artifacts. - Impact: Targeted organizations located in Russia, Belarus, and Thailand; additional malware deployed on approximately 12 systems. - Nature of attack: Supply‑chain compromise where the legitimate Daemon Tools installer was trojanized. - No public CVE assigned yet; the technique aligns with MITRE ATT&CK T1195.002 (Compromise Software Dependencies and Development Tools).

The incident underscores the growing risk of software supply‑chain attacks, where trusted utilities become vectors for espionage or sabotage. Organizations that rely on Daemon Tools should treat the software as potentially untrusted until a clean version is verified. The backdoor’s persistence suggests attackers may continue to push malicious updates through the compromised distribution channel.