Hackers have compromised the installers for DAEMON Tools, a widely used Windows utility for mounting disk images, to deploy a backdoor across thousands of systems. The attack, which has been active since at least April 8, allowed malicious code to reach users downloading the product directly from the official website, according to reporting from BleepingComputer.
Kaspersky identified the specific compromised versions as DAEMON Tools 12.5.0.2421 through 12.5.0.2434. The breach involves specific binaries, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
While the initial infection spread to thousands of devices in over 100 countries, the attackers appear to be conducting a targeted operation. BleepingComputer reported that second-stage payloads were only deployed to a dozen machines, suggesting the hackers are filtering for high-value targets.
Targeted payloads and data theft
The first stage of the malware operates as a basic information stealer. Once the digitally signed installers are executed, the payload collects system-level data, including hostnames, MAC addresses, running processes, installed software, and system locales, before sending this information to the attackers for victim profiling.
After the attackers analyze the stolen data, they can choose to deploy a second-stage payload. This second stage consists of a lightweight backdoor that provides persistent access to the infected system. The backdoor allows the attackers to send commands to the machine and instruct it to download further malicious software.
According to BleepingComputer, the victims identified as receiving these more advanced payloads include organizations in the retail, scientific, government, and manufacturing sectors. The geographic focus of these targeted hits includes Russia, Belarus, and Thailand.
Kaspersky's report, cited by BleepingComputer, indicates that the attack is currently ongoing. The software, once a staple for gamers and power users in the 2000s, is now primarily used in environments requiring virtual drive management.
