Kaspersky Detects Backdoor in Daemon Tools Linked to Chinese Hackers
Security researchers at Kaspersky have identified a malicious backdoor embedded in the widely used Windows disc imaging software, Daemon Tools. According to Kaspersky, data from computers worldwide running its antivirus software reveals a “widespread” attack exploiting this backdoor.
The Russian cybersecurity firm associates the attack with a Chinese-language speaking hacker group. The attackers leveraged the backdoor to deploy additional malware across a variety of sectors—including retail, scientific research, manufacturing, and government systems. Kaspersky highlights that this indicates a “targeted” campaign focusing on specific organizations.
Victims of the attack are primarily located in Russia, Belarus, and Thailand. The backdoor was first detected on April 8, and the supply chain assault remains active, raising concerns that thousands of computers using Daemon Tools software could still be compromised.
Kaspersky has contacted Disc Soft, the developer of Daemon Tools, but no information has yet been disclosed about the developer’s response or corrective measures. When approached for comment, a Disc Soft representative confirmed awareness of the situation and stated that an investigation is ongoing. The company emphasized treating the matter with high priority and pledged to address potential risks to users’ security.
This incident adds to a growing trend of supply chain attacks targeting popular software developers. Cybercriminals are increasingly abusing access to developer accounts to insert malicious code into widely distributed software updates, thereby infiltrating numerous systems simultaneously.
Earlier in 2026, hackers linked to the Chinese government reportedly compromised Notepad++, a favored text editing tool, distributing malware to organizations with interests in East Asia. Similarly, attacks targeting users of CPUID’s monitoring tools were reported recently.
TechCrunch independently downloaded the Windows installer from Daemon Tools’ official website and verified via VirusTotal that the backdoor appears to be present in the current version. At this time, it remains unclear whether macOS versions of Daemon Tools or other Disc Soft applications are affected.
Users of Daemon Tools are advised to remain cautious and ensure that their security software is up to date. Those who suspect they may have been impacted by this attack should seek guidance from cybersecurity professionals.