仮想ドライブ用ソフト「DAEMON Tools」に約1か月にわたる供給網攻撃 — Kasperskyが公開

On May 5, 2026, Russian security firm Kaspersky disclosed that DAEMON Tools, a Windows virtual-drive creation software, had been hit by a supply chain attack. Tampered installers had reportedly been distributed via the official site since April 8, 2026.

The affected range is reportedly versions 12.5.0.2421 through 12.5.0.2434, with attackers said to have embedded malicious code in three executables: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were reportedly distributed still bearing a valid digital signature from developer AVB Disc Soft, putting users and security products in a state where it was hard to detect.

According to Kaspersky, the tampered installer reportedly caused thousands of infections across more than 100 countries. On the other hand, the second-stage payload delivering additional malware was reportedly deployed to only about 10 devices, with targets seen as having been narrowed to specific organizations such as retail, scientific, manufacturing, and government agencies.

Kaspersky reportedly links this attack to a Chinese-language-speaking attack group based on malware analysis, but it appears specific state ties and organization names have not been publicly disclosed. It is noted that the attack may have been used as a "funnel" to reach specific targets rather than aiming at broad-scope infection.

The developer reportedly released a clean "DAEMON Tools Lite 12.6" on the same May 5, and users are being called on to update promptly. For devices that have already installed an affected version, a thorough scan with antivirus software is being recommended.