SECURITYWEEK reports that a sophisticated Daemon Tools supply chain attack has infected users worldwide, with a backdoor dropped on about a dozen systems in Belarus, Russia, and Thailand, indicating a targeted operation. The campaign compromised three Daemon Tools binaries—DTHelper[.]exe, DiscSoftBusServiceLite[.]exe, and DTShellHlp[.]exe—which were signed with certificates belonging to AVB Disc Soft, and the backdoor activates at startup to tamper with the CRT initialisation code.
Daemon Tools versions 12.5.0.2421 to 12.5.0.2434, released since April 8, were found to contain injected code, and the attacker used a typosquatting domain registered on March 27 to return commands that fetch and run a payload. The operators initially deployed an information collector across thousands of machines in over 100 countries, with roughly 10% of those machines belonging to businesses and organisations, before using the backdoor to deploy QUIC RAT against a single educational institution in Russia. According to Kaspersky, the overall activity remains ongoing, with AVB Disc Soft notified.