Chinese Hackers Suspected of Hiding a Backdoor Inside Daemon Tools in a Widespread Supply Chain Attack

A Trusted Windows App Turned Into a Weapon

Daemon Tools has been around for decades. If you've ever mounted a disc image on Windows without actually owning a physical disc drive, there's a decent chance you've used it. It's that kind of software — unglamorous, reliable, almost invisible. Which is exactly what makes it such an attractive target.

Kaspersky's security researchers have now identified a malicious backdoor embedded in the popular Windows disc imaging software. The Russian cybersecurity company says its antivirus telemetry — data pulled from computers running Kaspersky software around the world — reveals a campaign it describes as "widespread," with thousands of Windows machines running Daemon Tools squarely in the crosshairs. And here's the part that should genuinely concern anyone who has the software installed: the attack is reportedly still active.

What Kaspersky Actually Found — And When

The backdoor was first detected on April 8. Kaspersky traced the activity to a group it believes communicates in Chinese, based on its analysis of the malware itself. That attribution isn't airtight — language analysis of malware has limits — but it's the working assumption Kaspersky is operating under.

Beyond the thousands of infection attempts, the researchers confirmed that at least a dozen computers were actually compromised. That's the distinction worth paying attention to. The backdoor gave attackers a foothold, and they used it to push additional malware onto those specific machines. Kaspersky characterized this secondary stage as "targeted," suggesting the hackers weren't just spraying and praying — they had specific victims in mind.

The affected organizations operated in retail, scientific research, and manufacturing, as well as government environments. Geographically, the targeted systems were located in Russia, Belarus, and Thailand.

How a Supply Chain Attack Like This Works

This is a supply chain attack, and if that term still sounds a little abstract, here's the clearest way to think about it: instead of breaking into your house directly, someone poisons the water supply. When you drink the water, the problem comes to you.

Hackers who pull off supply chain attacks don't go after end users individually — they compromise the software before it reaches those users. By embedding malicious code into a trusted application (or its update mechanism), they can infect a massive number of machines in one move. Every person who downloads or updates the software becomes a potential victim without doing anything obviously wrong. You installed Daemon Tools from what looked like the official source. That was the trap.

Kaspersky said it contacted Disc Soft, the company that develops and maintains Daemon Tools, though it didn't confirm whether the developer had responded or taken any action at the time of the report. Disc Soft's official response acknowledged the report and said its team was treating the matter as a top priority, adding that it was actively working to assess and remediate the situation — without confirming the specific details Kaspersky outlined.

TechCrunch independently downloaded the Windows installer directly from the Daemon Tools website and checked it against VirusTotal, the widely used online malware scanning service. The file appeared to contain the backdoor. It's not yet known whether the macOS version of Daemon Tools is affected, or whether other Disc Soft products have been compromised.

This Is Part of a Bigger, Nastier Trend

Daemon Tools isn't the first widely used app to become an unwitting delivery system for malware, and it almost certainly won't be the last. Earlier in 2026, hackers linked to the Chinese government were found to have hijacked software updates for Notepad++ — yes, that Notepad++ — to push malware to organizations with interests in East Asia. Around the same time, researchers flagged a separate incident targeting visitors to the website of CPUID, the company behind HWMonitor and CPU-Z, two tools extremely popular among PC enthusiasts and IT professionals.

The pattern here is pretty clear. Attackers are increasingly focusing on trusted, well-established software that people install without a second thought. The trust people place in legacy apps — the ones that have been around long enough to feel safe by default — is itself becoming a vulnerability.