Kaspersky has disclosed a **software supply‑chain compromise** affecting DAEMON Tools installers, with reporting amplified by The Hacker News.

## What happened

According to Kaspersky’s analysis (as quoted by The Hacker News):

- Compromised installers were **distributed via the legitimate DAEMON Tools website** and **signed with digital certificates** tied to DAEMON Tools developers.

- Trojanized versions were observed since **April 8, 2026**, spanning builds **12.5.0.2421 to 12.5.0.2434**.

- Multiple components were reportedly tampered with, including **DTHelper.exe**, **DiscSoftBusServiceLite.exe**, and **DTShellHlp.exe**.

## How the malware behaves (high level)

The reporting describes an implant that, when activated (often at startup), contacts an attacker-controlled domain to retrieve a command executed via `cmd.exe`, which can then stage additional payloads. Kaspersky also described follow-on tools used for system reconnaissance and backdoor functionality.

## Why supply-chain compromises are hard to catch

This is a reminder that:

- **Digitally signed** software can still be malicious if the build or distribution pipeline is compromised.

- Endpoint and network controls can be bypassed when users download from an **official vendor site**.

## Recommended defensive steps

Organizations that rely on DAEMON Tools should consider:

- Inventorying endpoints for the affected software versions

- Isolating suspect machines and running a security sweep

- Reviewing outbound connections for unusual domains and post-execution download behavior

*Source: The Hacker News (summarizing Kaspersky research). For full technical indicators, consult Kaspersky’s original report linked in the article.*