DAEMON Tools is one of those programs that has been around so long it barely registers as something you think about. Millions of Windows users have it installed for mounting ISO files β disc images, game backups, software installers. You download it once, forget about it, and it just works.
That familiarity is exactly what attackers exploited.
Starting on April 8, 2026, the official DAEMON Tools website began serving trojanized installers β versions of the software that looked completely legitimate, passed antivirus checks, and were signed with valid digital certificates β but contained hidden malware designed to give attackers remote access to your computer.
The attack ran for nearly a month before being publicly discovered on May 5 and 6, 2026, when researchers at Kaspersky published their findings.
What Was Compromised
The attackers managed to do something particularly nasty: they did not just swap out the download file on the website. They compromised the code signing infrastructure of DAEMON Toolsβ developer, AVB Disc Soft.
Code signing certificates are the digital equivalent of a manufacturerβs seal. When you download software and Windows tells you it is from a trusted publisher, that trust comes from the code signing certificate. Attackers with access to a legitimate certificate can sign their malware, and Windows will treat it as trustworthy.
This is why standard antivirus software missed it. The installer was signed with a real, valid certificate belonging to the real developer. From a security software perspective, it looked completely legitimate.
Affected versions: 12.5.0.2421 through 12.5.0.2434
If you downloaded or updated DAEMON Tools between April 8 and May 5, 2026, and your version falls in that range, you received a compromised installer.
What the Malware Does
The malicious installer modified three core files in the DAEMON Tools installation directory:
DTHelper.exeDiscSoftBusServiceLite.exeDTShellHlp.exe
These files were implanted with code that, when running, would contact an external server at env-check.daemontools[.]cc β a domain that attackers registered on March 27, 2026, suggesting they planned this attack weeks in advance.
The malwareβs first job was basic reconnaissance: check in with the attackerβs server, report details about the infected system, and wait for instructions.
In most cases, the malware stayed in this reconnaissance mode. But for at least one victim β an educational institution in Russia β the attackers escalated. They deployed a sophisticated piece of malware called QUIC RAT: a Remote Access Trojan that runs over the QUIC network protocol, allowing attackers to take complete remote control of the infected machine.
Who Was Affected and Where
Researchers detected several thousand attempts to install additional malicious payloads via infected DAEMON Tools software in the weeks after April 8. The majority of infected devices belonged to home users, with approximately 10% of infection attempts occurring on organizational systems β meaning business computers, not just personal ones.
Geographically, the most affected countries were Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. DAEMON Tools has a particularly large user base in Russia, which likely explains why the attackers registered the malware domain there and why that country saw the most detections.
How to Check If You Are Affected
Step 1: Check your DAEMON Tools version. Open DAEMON Tools Lite, go to Help > About. If your version number falls between 12.5.0.2421 and 12.5.0.2434, you received a compromised installer.
Step 2: Update immediately. On May 5, 2026, AVB Disc Soft released version 12.6.0 of DAEMON Tools Lite, which does not contain the compromised files. Update immediately through the official website.
Step 3: Check for the malicious files.
Even after updating, if you had a compromised version installed, the malicious versions of these files may still be present in your DAEMON Tools directory (usually C:\Program Files\DAEMON Tools Lite\):
DTHelper.exeDiscSoftBusServiceLite.exeDTShellHlp.exe
After updating to version 12.6, these should be replaced with clean versions. If you are unsure, consider running a full system scan with a reputable security tool like Malwarebytes or Windows Defender.
Step 4: Look for suspicious network connections.
If your system was communicating with env-check.daemontools[.]cc, that is a strong indicator of active infection. Check your router logs or a network monitoring tool if you have one. If you find connections to this domain, assume the system is compromised and consider a full reinstall.
The Bigger Issue: Trusting Official Downloads
This attack highlights a fundamental problem with how we think about software safety.
Most security advice says: βDownload software only from the official website.β The DAEMON Tools attack proves that is not enough. The official website was compromised. The official installer was serving malware. The installer was signed with the developerβs real certificate.
There was no obvious red flag to catch. You did everything right and still could have installed malware.
This does not mean you should stop downloading software β you have to at some point. But it does mean:
Watch for update notifications even for software you trust. The researchers at Kaspersky found this attack because they noticed anomalous network behavior from DAEMON Tools installations. Security companies and threat intelligence feeds are often faster to catch supply chain attacks than the affected vendor. Follow cybersecurity news.
Consider using application sandboxing or virtualization for programs you do not use constantly. Mounting ISO files does not require the software to have deep system access. Tools that run in more restricted environments have less ability to cause damage if compromised.
Run some kind of endpoint protection. Even if antivirus missed this specific attack initially (because of the valid code signature), behavioral analysis in modern endpoint security tools eventually flagged the suspicious network connections. Something is better than nothing.
What AVB Disc Soft Has Said
The developer of DAEMON Tools acknowledged the compromise and released the clean version 12.6 promptly after researchers disclosed their findings. They have not yet issued a full public statement about how their code signing infrastructure was compromised β which is the most important technical question remaining.
Understanding how attackers got access to their signing certificates matters because if that access has not been revoked and the certificate has not been invalidated, the same attackers could potentially sign further malware that Windows would still trust.
Bottom Line
If you use DAEMON Tools Lite on Windows, update to version 12.6 right now. If you downloaded or updated it between April 8 and May 5, assume the possibility of compromise and run a full security scan.
This is a good reminder that supply chain attacks on software you already trust are one of the hardest attack types to defend against β and one of the most important to stay informed about.
The domain env-check.daemontools[.]cc should be blocked at your router or firewall if you want to check for any remaining connections. And if your security software flags it, take it seriously.
