DAEMON Tools Was Silently Backdoored for 47 Days — And the Installers Were Signed With the Real Developer’s Certificate

If you downloaded DAEMON Tools anytime between April 8 and May 2026, your computer may have been silently backdoored. And here’s the terrifying part — your antivirus probably didn’t catch it, because the malicious installers were signed with the legitimate developer’s digital certificate.

Kaspersky researchers discovered the compromise in early May 2026, revealing one of the most sophisticated supply chain attacks of the year. The malware was distributed from the official DAEMON Tools website, making it virtually impossible for users to distinguish legitimate software from compromised versions.

The Discovery

In early May 2026, Kaspersky identified that installers for DAEMON Tools — the popular disk image mounting software used by millions — had been trojanized since April 8, 2026. The compromised versions range from 12.5.0.2421 to 12.5.0.2434.

For 47 days, anyone who downloaded DAEMON Tools from the official website received a backdoored version. Kaspersky observed several thousand infection attempts in their telemetry, with individuals and organizations in more than 100 countries affected.

What Makes This Attack Different

Supply chain attacks are nothing new. But this one has a feature that makes it exceptionally dangerous: every compromised installer is signed with a valid digital signature from AVB Disc Soft, the legitimate developer of DAEMON Tools.

Digital signatures are supposed to be the gold standard for software authenticity. When Windows shows you a “Verified publisher: AVB Disc Soft” dialog, you trust it. Your antivirus trusts it. Your IT department trusts it. That’s the entire point of code signing.

By using the real developer’s certificate, the attackers bypassed every layer of trust in the software distribution chain. This isn’t a fake certificate or a stolen certificate from a random company — it’s the actual certificate of the actual developer.

The Technical Details

The attack mechanism is straightforward but effective. After the trojanized software is installed, a malicious file launches every time the system starts up. This file sends a request to a command-and-control server. In response, the server may command the download and execution of additional malicious payloads.

The persistence mechanism ensures the backdoor survives reboots, and the modular design means the attackers can deploy any payload they want to compromised machines — from keyloggers to ransomware to data exfiltration tools.

The initial-stage malware is relatively lightweight and generic. But what the attackers deploy through it depends entirely on who you are — which brings us to the targeting.

Who Was Targeted

This is where the attack gets interesting. Out of the thousands of machines infected, further-stage payloads were only deployed to about a dozen. That’s an extremely selective targeting ratio.

The machines that received additional payloads belonged to organizations in specific sectors: retail, scientific research, government, and manufacturing. This pattern strongly suggests the supply chain attack is espionage-focused, not financially motivated.

Most supply chain attacks aim to infect as many systems as possible — ransomware operators want volume. But this attacker had specific targets and used the broad infection vector as a way to reach them. Everyone else was collateral damage.

The China Connection

Kaspersky’s analysis points to a Chinese-speaking adversary based on artifacts observed in the malware code. TechCrunch reported that Kaspersky “suspects Chinese hackers planted a backdoor” into the software.

This aligns with a broader pattern of Chinese state-linked groups using supply chain attacks to compromise specific high-value targets, particularly in government and manufacturing sectors. The technique of compromising legitimate software distribution channels is a hallmark of advanced persistent threat (APT) groups.

The Supply Chain Problem

The DAEMON Tools compromise highlights a fundamental weakness in how software is distributed and trusted. This attack joins a growing list of supply chain incidents in 2026:

• The cPanel zero-day that compromised 44,000 servers
• The Nx Console VS Code extension that led to GitHub’s internal repository breach
• The Laravel-Lang packages hijacked to steal credentials
• The Megalodon campaign that backdoored 5,500 GitHub repositories

Each of these attacks exploited trust — trust in official download sites, trust in browser extension marketplaces, trust in package registries, trust in code signing certificates. The entire software ecosystem is built on trust, and that trust is being systematically undermined.

What to Do If You Installed DAEMON Tools

If you installed or updated DAEMON Tools between April 8 and May 2026, take the following steps immediately:

• Update to version 12.6.0.2445 or later — this version is confirmed clean
• Run a full system scan with updated antivirus definitions
• Check for suspicious startup entries — the malware creates a persistent startup mechanism
• Monitor outbound network connections for unusual traffic to unfamiliar servers
• Change passwords on any accounts accessed from the affected machine

The Bottom Line

A popular software tool was backdoored for 47 days using the developer’s own digital certificate, infecting machines in 100+ countries, with a Chinese-linked threat actor selectively deploying espionage payloads to government and manufacturing targets.

And nobody noticed until Kaspersky found it.

That’s the state of supply chain security in 2026. The trust model is broken. The tools we rely on to verify software authenticity — digital signatures, official websites, trusted developers — can all be compromised. And when they are, there’s almost no way for a normal user to detect it.

Update your DAEMON Tools. Scan your systems. And ask yourself: what other software you trust might already be compromised?