DAEMON Tools Installers Carried a Backdoor Since April 8

by Emma Davis
May 5, 2026

Official DAEMON Tools installers reportedly carried a backdoor from April 8, 2026. Users who installed it recently should remove it, scan Windows, and wait for a clean release.

Security researchers say official DAEMON Tools installers were used in a supply-chain attack that delivered a backdoor to Windows systems. The incident matters because users did not have to download a shady crack or fake copy: the risk came from software distributed through the legitimate DAEMON Tools channel.[1]

Cartoon showing an official installer secretly carrying a backdoor
The installer box said “official”; the extra passenger forgot to mention “backdoor.”

Kaspersky reported that malicious code was added to signed DAEMON Tools components on April 8, 2026, and that the compromised downloads were still being served when researchers published their findings. The payload chain uses legitimate-looking files, including DAEMON Tools helper/service components, before fetching follow-on malware from attacker infrastructure.[2]

Software DAEMON Tools, a Windows disk-image mounting utility.
Attack type Supply-chain compromise of official installers/components.
Known start date April 8, 2026, according to Kaspersky telemetry and file timestamps.
Risk Backdoor installation and possible delivery of additional malware after a user installs or updates the tool.
Reader action If you installed DAEMON Tools after April 8, uninstall it, scan the PC, and wait for a clearly verified clean release before reinstalling.

This is the same uncomfortable lesson seen in earlier supply-chain incidents such as the 3CX attack: trust in the download page is not enough when the software pipeline itself is compromised. For DAEMON Tools specifically, users who recently installed it should treat the machine as potentially exposed, especially if the installer came from the official site during the affected window.

What DAEMON Tools users should do now

First, remove DAEMON Tools until Disc Soft clearly publishes a clean build and incident guidance. Second, run a full malware scan, then check startup entries, scheduled tasks, recently created services, and unusual outbound connections. If the machine is used for work, credentials, crypto wallets, or admin access, rotate passwords from a clean device.

For people who only need to open ISO files, Windows can mount ISO images natively, so reinstalling a third-party disk-image utility is not urgent. If DAEMON Tools is still required, download only a fresh version after the vendor confirms remediation, and keep the installer hash or version noted for later verification. Users who already saw DAEMON Tools flagged as unwanted software can also compare symptoms with our older DAEMON Tools removal guide, but this new case should be handled as a stronger supply-chain malware risk, not just a bundled-app nuisance.

References

  1. The Hacker News. New DAEMON Tools supply-chain attack coverage. Accessed May 5, 2026.
  2. Kaspersky Securelist. DAEMON Tools backdoor research write-up. Published May 2026.
  3. TechCrunch. DAEMON Tools was hacked to spread backdoor malware to users. Published May 5, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment