At least one DAEMON Tools user in government, scientific, manufacturing, retail, or education sectors
April 8, 2026
•[ supply chain attack, malware, trojanized installers ]
Threat actors compromised official DAEMON Tools installers distributed from the vendor website beginning April 8, 2026. The trojanized installers executed malware on infected Windows hosts, collected system information, and in selected cases deployed additional backdoor payloads. Reporting identified second-stage payloads on roughly a dozen machines in government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand, and QUIC RAT on one Russian educational institution. The specific perpetrator was not publicly identified.
