ACCORDING to Kaspersky, Daemon Tools, a widely used app for mounting disk images, was backdoored in a monthlong supply-chain compromise that began on 8 April 2026 and remained active as of the time of reporting. Installers signed by the developer’s official certificate and downloaded from its website infected Daemon Tools executables, with the malware running at boot time and appearing to target only Windows versions of the software, specifically versions 12.5.0.2421 through 12.5.0.2434.
The initial payload collected MAC addresses, hostnames, DNS domain names, running processes, installed software and system locales before sending them to an attacker-controlled server, with about 12 follow-on payloads observed on a dozen machines across government, scientific, manufacturing and retail organisations.
In total, thousands of machines in more than 100 countries were affected, with the attack demonstrating a high degree of targeting and sophistication, including a more complex backdoor dubbed QUIC RAT observed on one educational institution in Russia. The report notes that roughly 10% of affected systems belong to businesses and organisations, and advises comprehensive scans of machines with reputable antivirus software and scrutiny of indicators of compromise listed in the Kaspersky post.