A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said. The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. While DAEMON Tools is also available for Mac, Kaspersky told The Hacker News that only the Windows version was compromised. The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach. Specifically, three different components of DAEMON Tools have been tampered with - Any time one of these binaries is launched, which typically happens during system startup, an implant is activated on the compromised host. It's designed to send an HTTP GET request to an external server ("env-check.daemontools[.]cc") – a domain registered on March 27, 2026 – in order to receive a shell command that's run using the "cmd.exe" process. The shell command, for its part, is used to download and run a series of executable payloads. These include - The Russian cybersecurity company said it observed several thousand infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor has been delivered only to a dozen hosts, indicating a targeted approach. The systems that received the follow-on malware have been flagged as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. What's more, one of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT. The use of the C++ implant has been recorded against a lone victim: an educational institution located in Russia. "This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner," Kaspersky said. "However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear." The malware supports a variety of c