Chinese Hackers Allegedly Embed Backdoor in Daemon Tools, Sparking Global Security Concerns
In a significant cybersecurity development, Kaspersky researchers have uncovered a malicious backdoor embedded within Daemon Tools, a widely used Windows disc imaging software. This discovery indicates a large-scale cyberattack targeting thousands of Windows systems globally.
Kaspersky’s analysis suggests that a Chinese-speaking hacker group is responsible for this intrusion. The attackers exploited the backdoor to deploy additional malware on computers across various sectors, including retail, scientific research, manufacturing, and government agencies. Notably, the affected organizations are primarily located in Russia, Belarus, and Thailand, pointing to a deliberate and targeted campaign.
The backdoor was first identified on April 8, 2026. Kaspersky has reached out to Disc Soft, the developer of Daemon Tools, to address the issue. However, the current status of the developer’s response remains unclear. Kaspersky warns that the attack is ongoing, implying that the perpetrators still have the capability to infiltrate numerous systems running the compromised software.
This incident is part of a troubling trend of supply chain attacks, where cybercriminals infiltrate software developers to distribute malicious code through legitimate software updates. Such strategies enable widespread system compromises with minimal effort.
Earlier this year, similar tactics were employed when hackers associated with the Chinese government hijacked updates for Notepad++, a popular text editing software, to disseminate malware to organizations with interests in East Asia. Additionally, there was an attack targeting users who visited the website of CPUID, known for tools like HWMonitor and CPU-Z.
TechCrunch’s investigation confirmed the presence of the backdoor in the Windows installer downloaded from the official Daemon Tools website, as verified by the online malware scanner service VirusTotal. It remains uncertain whether the macOS version of Daemon Tools or other applications developed by Disc Soft are affected.
A representative from Disc Soft acknowledged the report and stated that the company is actively investigating the situation. They emphasized their commitment to addressing potential risks and ensuring user security but did not provide specific details at this time.
This incident underscores the critical importance of vigilance in software supply chains and the need for robust security measures to protect against such sophisticated cyber threats.
