Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack

Kaspersky has detected a widespread supply-chain attack targeting Daemon Tools, a popular Windows utility for mounting virtual drives. The cybersecurity firm identified thousands of infection attempts and at least a dozen successful compromises after attackers distributed backdoored versions of the software.

Kaspersky attributes the attack to Chinese-linked hackers. The malicious Daemon Tools versions contained a backdoor that gave attackers remote access to infected machines. The compromised software appeared legitimate to users, making detection difficult until Kaspersky's researchers uncovered the scheme.

This incident exemplifies the supply-chain attack playbook. Rather than targeting users directly, adversaries compromise trusted software that thousands rely on daily. Daemon Tools is installed across Windows environments for legitimate purposes like mounting ISO files and virtual disks. When Kaspersky flagged the backdoor, it had already reached at least a dozen systems successfully, though infection attempts numbered in the thousands.

The attack's scope remains unclear. Kaspersky hasn't disclosed which versions of Daemon Tools contained the backdoor, the exact distribution timeline, or the full list of affected organizations. The company typically names state-sponsored groups only after confirming attribution, so the "Chinese hackers" assessment carries weight.

Supply-chain compromises carry outsized risk because they bypass traditional security perimeters. Users trust Daemon Tools as legitimate software from an established vendor. Once installed, a backdoor grants attackers persistent access to networks, often enabling lateral movement and espionage.

Kaspersky's detection highlights the cat-and-mouse dynamics in cybersecurity. While the firm identified and exposed the threat, the attack already succeeded in multiple cases. Organizations using Daemon Tools should audit their systems for suspicious activity and verify they're running legitimate versions directly from official sources.

This incident reinforces why software vendors must harden their build and distribution systems. A single compromise can affect thousands of