INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Malware Was Discovered in Daemon Tools Software
| 2026-05-07 09:30 MEDIUM HIGHExecutive Summary AI-generated
The supply chain attack on Daemon Tools software has been contained, but not before it infected thousands of machines across more than 100 countries. The incident began when threat actors exploited a vulnerability in the application's installer to hide malware, which was then distributed from the main website. As a result, victims were left vulnerable to various types of cyber attacks, including Trojanized versions of popular software and malicious payloads injected into system processes like notepad.exe and conhost.exe. The attack highlights the importance of vigilance when installing new software and the need for organizations to carefully examine machines that had Daemon Tools installed after April 8.
Technical Mitigations AI-generated
• Audited the build and release pipeline to identify and isolate affected systems
• Rebuilt and validated installation packages to strengthen internal security controls
• Strengthened internal security monitoring systems
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign
EarlierCampaign
Earlier
Target & Sectors
DACH
DACH
manufacturingmanufacturing
governmentgovernment
retailretail
educationeducation
Incident Timeline
April 8
China-Linked Backdoor Campaign warned users that Daemon Tools software installers distributed from the main website had been Trojanized.
Click on any entity below to view its context and source!
source_region
China
The developer
urged
any user who downloaded the affected version to:
Uninstall the application
Run a full system scan using trusted security software
Download the latest version from the official website
A China-Linked Backdoor Campaign
Earlier this week, Kaspersky
warned
that Daemon Tools software installers distributed from the main website had been Trojanized since April 8.
campaign
Campaign
Earlier
The developer
urged
any user who downloaded the affected version to:
Uninstall the application
Run a full system scan using trusted security software
Download the latest version from the official website
A China-Linked Backdoor Campaign
Earlier this week, Kaspersky
warned
that Daemon Tools software installers distributed from the main website had been Trojanized since April 8.
organisation
China-Linked Backdoor Campaign
The developer
urged
any user who downloaded the affected version to:
Uninstall the application
Run a full system scan using trusted security software
Download the latest version from the official website
A China-Linked Backdoor Campaign
Earlier this week, Kaspersky
warned
that Daemon Tools software installers distributed from the main website had been Trojanized since April 8.
organisation
Kaspersky
The developer
urged
any user who downloaded the affected version to:
Uninstall the application
Run a full system scan using trusted security software
Download the latest version from the official website
A China-Linked Backdoor Campaign
Earlier this week, Kaspersky
warned
that Daemon Tools software installers distributed from the main website had been Trojanized since April 8.
May 5
The Daemon Tools Lite software version 12.6 was released by Disc Soft less than 12 hours after being notified of a supply chain attack.
Click on any entity below to view its context and source!
infrastructure
12.6
Disc Soft said it released the malware-free Version 12.6 of its Daemon Tools Lite product on May 5, less than 12 hours after being notified of the supply chain attack.
general_metric
12.6 Version
Disc Soft said it released the malware-free Version 12.6 of its Daemon Tools Lite product on May 5, less than 12 hours after being notified of the supply chain attack.
general_metric
12 hours
Disc Soft said it released the malware-free Version 12.6 of its Daemon Tools Lite product on May 5, less than 12 hours after being notified of the supply chain attack.
May 7
Threat actors used Daemon Tools to target their internal infrastructure.
2026/05/07
Threat actors used Daemon Tools to infect victims across multiple countries, including Russia, Brazil, and Turkey.
Click on any entity below to view its context and source!
infrastructure
12.5.1
“The affected version (12.5.1) has been removed and is no longer supported.
infrastructure
12.6.0
The latest version (12.6.0.2445) no longer exhibits the behavior associated with the incident.”
Tactical Metrics
Metrics
infrastructure
12.6
Software Version
Click for context!
Disc Soft said it released the malware-free Version 12.6 of its Daemon Tools Lite product on May 5, less than 12 hours after being notified of the supply chain attack.
Metrics
infrastructure
12.5.1
Software Version
“The affected version (12.5.1) has been removed and is no longer supported.
Metrics
infrastructure
12.6.0
Software Version
The latest version (12.6.0.2445) no longer exhibits the behavior associated with the incident.”
Intelligence Sources
Infosecurity-Magazine
2026-05-07
Daemon Tools Developer Confirms Software Was Trojanized
Infosecurity-Magazine
Infosecurity-Magazine
2026-05-07
Daemon Tools Developer Confirms Software Was Trojanized
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:34
Comprehensive Tactical Telemetry
Highly Correlated Entities
7x
target region
Target Country
Russian Federation
country
4x
industry
Targeted Sector
Education
sector
3x
timeline
Temporal Reference
April 8
date
3x
infrastructure
Software Version
12.6
version
2x
organisation
Identified Entity
China-Linked Backdoor Campaign
entity
Contextual Telemetry
Context Block
7 METRICS
source region
Origin Country
China
country
campaign
Campaign
Campaign
Earlier
operation
tactic
Cyber Operation Type
Espionage
tactic
general metric
Version
13
version
general metric
Hours
12
hours
tactic
MITRE ATT&CK Technique
T1592.002 - Software
technique
general metric
Countries
100
countries
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.