Kaspersky Uncovers Chinese Hackers’ Backdoor in Daemon Tools: A Widespread Supply Chain Attack

Security researchers at Kaspersky have identified a malicious backdoor embedded in the popular Windows disc imaging software, Daemon Tools. This discovery marks a significant supply chain attack that compromises thousands of computers globally.

According to a Tuesday report from the Russian cybersecurity firm, data collected from systems running Kaspersky’s antivirus software reveals a “widespread” campaign targeting Windows machines that use Daemon Tools. The hackers, linked to a Chinese-language speaking group based on malware analysis, exploited this backdoor to infiltrate a dozen high-value targets.

How the Chinese Hackers Backdoor Daemon Tools Works

Kaspersky’s investigation shows that the backdoor was first detected on April 8. The attackers used it to deploy additional malware on computers in the retail, scientific, and manufacturing sectors, as well as government systems. This selective targeting suggests a “targeted” effort, with victims located in Russia, Belarus, and Thailand.

The company noted that the supply chain attack remains “still active,” meaning the hackers can continue to plant malware on any system running the compromised software. This is a classic example of a supply chain attack, where malicious code is injected into legitimate software updates, affecting all users who download them.

The Mechanics of the Daemon Tools Backdoor

When TechCrunch downloaded the Windows installer from Daemon Tools’ official website, a check with the online malware scanner VirusTotal confirmed the presence of the backdoor. It remains unclear whether the macOS version of Daemon Tools or other Disc Soft applications are affected.

Kaspersky contacted Disc Soft, the company behind Daemon Tools, but did not disclose whether the developer responded or took immediate action. The ongoing nature of the attack raises concerns about the security of software supply chains.

Why This Supply Chain Attack Matters

This incident is part of a growing trend of supply chain attacks targeting popular software. Earlier this year, Chinese government-associated hackers hijacked the text editing software Notepad++ to deliver malware. Similarly, security researchers warned of an attack on CPUID, maker of HWMonitor and CPU-Z tools.

Supply chain attacks are particularly dangerous because they allow hackers to compromise a large number of systems at once by inserting malicious code into trusted software updates. This approach exploits the trust users place in legitimate applications, making it harder to detect.

For more insights on protecting your systems, read our guide on how to prevent supply chain attacks.

Response from Daemon Tools Developer Disc Soft

When contacted for comment, a Disc Soft representative stated they are “aware of the report and are currently investigating the situation.” The representative added, “Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users.”

This response indicates that Disc Soft is taking the threat seriously, but users should remain cautious. As the investigation unfolds, it is crucial for organizations using Daemon Tools to monitor for unusual activity and apply any security patches promptly.

What Users Should Do Now

If you use Daemon Tools on Windows, consider temporarily uninstalling the software until Disc Soft releases a clean update. Run a full antivirus scan with a reputable solution like Kaspersky or Malwarebytes to check for infections. Additionally, review your system for any signs of compromise, such as unexpected network traffic or new processes.

Building on this, organizations in the affected sectors should conduct a thorough security audit. Implementing strict software update policies and using endpoint detection tools can help mitigate risks. For further reading, check our article on best practices for software supply chain security.

Finally, stay informed about the latest cybersecurity threats. Following trusted security blogs and subscribing to threat intelligence feeds can provide early warnings. As this story develops, we will update with more details from Kaspersky and Disc Soft.

TechCrunch Disrupt 2026 BOGO Deal: 5 Days to Save 50% on a Second Pass

Time is running out to take advantage of an exclusive TechCrunch Disrupt 2026 BOGO offer. For the next five days, you can buy one pass and get 50% off a second ticket of the same type. This limited-time promotion ends on May 8 at 11:59 p.m. PT, after which prices will increase.

Whether you bring a co-founder, a colleague, or a partner, attending with someone else transforms your experience. Instead of trying to cover everything alone, you can split up, compare notes, and maximise every conversation.

Why You Should Bring a Plus-One to Disrupt 2026

From October 13 to 15 in San Francisco, TechCrunch Disrupt 2026 brings together over 10,000 founders, investors, and tech leaders. With more than 300 showcasing startups and 250 tactical sessions, no single person can absorb it all.

Attending with a teammate changes the game. You can divide and conquer — one person hits the investor meetups while the other explores the startup battlefield. Later, you can debrief and decide which opportunities to pursue. This approach makes the event far more productive.

As a result, you leave with actionable insights and a clear next step, not just a pile of business cards.

How the Disrupt 2026 BOGO Offer Works

The buy-one-get-one-half-off deal applies when you purchase two passes of the same ticket type by May 8. This means you can bring someone from your team without doubling your budget.

Investor Pass: Save $499

Buy one Investor pass and get a second for 50% off — a $499 savings. Connect directly with founders, access curated networking, and speed up your deal flow. Bringing another investor helps you compare signals and act faster on promising startups.

Founder Pass: Save $399

Buy one Founder pass and get a second for 50% off — a $399 savings. Meet investors aligned with your stage, hear what’s working from operators, and challenge your assumptions. Attending with a co-founder lets you divide and conquer the event more effectively.

If you’re ready to pitch, the Startup Battlefield 200 offers a chance at VC exposure, TechCrunch coverage, and a $100,000 equity-free prize.

Attendee Pass: Save Up to $444

Buy one Attendee pass and get a second for 50% off — up to $444 savings. Designed for product, engineering, growth, and go-to-market teams, this pass gives you access to stages, breakouts, and networking to optimise your roadmap.

Non-Profit Pass: Save $214

Buy one Non-profit pass and get a second for 50% off — a $214 savings. Connect with builders and investors to explore how emerging tech can drive real-world impact. Bringing a peer helps turn insights into actionable projects.

Expo+ Pass: Save $149

Buy one Expo+ pass and get a second for 50% off — a $149 savings. Explore the show floor, scout talent, demo emerging tech, and land your next role at a high-growth company. With a plus-one, you can cover more ground and spot more opportunities.

From Idea to IPO: What Makes Disrupt Unique

TechCrunch Disrupt 2026 isn’t just another conference. It’s where startups figure out what’s next — from raising capital to scaling operations. You’ll find value if you’re building a product, evaluating opportunities, or simply trying to stay ahead in tech.

The real value comes from connecting with people facing the same challenges and learning from those who have already succeeded. Check the Disrupt events page to see the full agenda and speaker lineup.

Building on this, the conference also features the Startup Battlefield 200, where early-stage companies pitch to top VCs and compete for a $100,000 prize. It’s a launchpad for the next big thing.

Don’t Miss This Limited-Time Discount

This offer is only available for five days. Once it ends on May 8, you’ll pay full price for both passes. Lock in your savings now and bring someone who can help you get more out of the event.

Buy one pass. Get 50% off the second (same ticket type). Decide who you’re bringing, and secure your passes before the deadline. Register now to save up to $499 and amplify the value you get from being at Disrupt.

North Korean Hackers Blamed for $290 Million KelpDAO Crypto Heist: A Sophisticated Raid

The largest cryptocurrency theft of the year so far has been linked to state-backed North Korean hackers, with the decentralized finance protocol KelpDAO losing approximately $290 million in rsETH tokens over the weekend. The KelpDAO crypto heist has sent shockwaves through the DeFi community, highlighting the growing sophistication of threat actors targeting cross-chain infrastructure.

How the KelpDAO Crypto Heist Unfolded

KelpDAO operates as a liquid restaking protocol, accepting Liquid Staking Tokens (LSTs) such as stETH, ETHx, and sfrxETH, and issuing rsETH in return. On Saturday, the firm detected suspicious cross-chain activity involving rsETH, prompting an immediate pause of operations.

According to the company, attackers stole 116,500 rsETH—worth around $293 million—and funneled the funds through Tornado Cash to obscure the trail. The breach exploited the LayerZero infrastructure that KelpDAO relies on for cross-chain communication.

LayerZero uses Decentralized Verifier Networks (DVNs), independent entities that verify the integrity of cross-chain messages. On April 18, the notorious North Korean Lazarus Group targeted LayerZero Labs’ DVN by poisoning downstream RPC infrastructure. The attackers gained access to the list of RPCs used by the DVN, compromised two independent nodes, and swapped out binaries running op-geth nodes.

“Because of our least-privilege principles, they were unable to compromise the actual DVN instances. However, they used this pivot point to execute an RPC-spoofing attack,” LayerZero explained. The hackers then launched a DDoS attack against non-compromised RPCs, triggering a failover to the poisoned ones. This allowed them to send a forged cross-chain message that was accepted as valid, enabling the unauthorized transfer of rsETH.

LayerZero Blames KelpDAO for Configuration Flaws

In a striking twist, LayerZero has pushed back against KelpDAO’s initial blame, arguing that the protocol’s single-DVN configuration was the root cause. “Operating a single-point-of-failure configuration meant there was no independent verifier to catch and reject a forged message,” LayerZero stated. It noted that best practices around DVN diversification had been communicated to KelpDAO, but the firm chose a 1/1 DVN setup.

“A properly hardened configuration would have required consensus across multiple independent DVNs, rendering this attack ineffective even in the event of any single DVN being compromised,” the company added.

Fortunately, around a quarter of the stolen funds—approximately 30,766 ETH ($71 million)—have been frozen by Arbitrum‘s Security Council, providing a small silver lining in an otherwise devastating incident.

Lazarus Group’s Growing Sophistication

Security experts warn that the Lazarus Group is demonstrating increasingly advanced operational capabilities. “These environments are not being tested by smash and grab actors, they are being pressured by disciplined adversaries who understand how to chain together weak points across infrastructure, applications, and trust relationships,” said Pete Luban, CISO at AttackIQ. “Groups like Lazarus are not just walking away richer, they are walking away better, with more resources to scale tooling, refine techniques, and reinvest in future campaigns.”

Nick Tausek, lead security automation architect at Swimlane, echoed this sentiment, noting the attack followed a familiar North Korean pattern of “patient intrusion, manipulation of trust, and detection suppression.” He added: “By compromising infrastructure tied to LayerZero’s verifier role, they’ve stepped into a trusted position in the transaction flow and abused that trust to push forged messages downstream. That’s what makes third-party breaches so dangerous in crypto: the blast radius rarely stops with the initial victim.”

Lessons for DeFi Security

This incident underscores the critical importance of robust cross-chain security configurations. For DeFi protocols, relying on a single verifier is clearly a high-risk strategy. As the KelpDAO crypto heist shows, even well-funded projects can fall victim to sophisticated adversaries when best practices are ignored.

Moving forward, protocols should adopt multi-DVN setups, regularly audit their infrastructure, and stay informed about emerging threats. For more insights on protecting DeFi assets, check out our guide on DeFi security best practices and learn how to secure cross-chain transactions.

The Lazarus Group’s ability to chain together multiple vulnerabilities—from RPC poisoning to DDoS attacks—highlights the need for a defense-in-depth approach. As the crypto industry matures, so too must its security posture.