kaspersky / chinese hackers / backdoor

Kaspersky warned that DAEMON Tools' official website was compromised in a supply‑chain attack that replaced legitimate DAEMON Tools Lite installers with Trojanized versions. The affected builds span 12.5.0.2421 (April 8) through 12.5.0.2434; signed installers bore AVB Disc Soft signatures but contained modified components. Infected clients globally (over 100 countries, notably Russia, Brazil, Turkey, Spain, Germany, France, China, Italy) sent system data to a malicious server; about 10% of impacted systems are in enterprise environments. Attackers appear to use broad distribution to harvest system info and then selectively deploy backdoors on high‑value targets in government, research, manufacturing and retail, indicating targeted follow‑on intrusions.

Kaspersky disclosed that Daemon Tools, a popular disk-image mounting app, was backdoored in a supply-chain compromise that began on April 8 and persisted for about a month, with malicious installers signed by the vendor’s certificate pushed from the developer’s servers. Versions 12.5.0.2421–12.5.0.2434 (Windows builds) contained a first-stage payload that harvested system data and reported to attacker servers; thousands of machines across 100+ countries were probed and about a dozen organizations received follow-on backdoors. One follow-on was a minimal remote-access backdoor; a more advanced QUIC RAT capable of process injection and multiple C2 protocols was seen on a Russian educational institution. The incident underscores supply-chain risks for widely distributed software.