Live Wire
20:21ZMEGATRONROUAE to release $10 billion in frozen Iranian oil revenues20:20ZCORRIEREDEThree climbers killed in Gran Paradiso accident20:19ZCLASHREPORDOJ approves Paramount Skydance's $111B takeover of Warner Bros. Discovery with no conditions20:18ZWFWITNESSIranian Foreign Minister says memorandum of understanding to be signed remotely20:16ZDDGEOPOLITIran soccer team training in Mexico; 13 delegation members lack visas20:16ZDDGEOPOLITIranian foreign minister outlines legal framework proposal for Hormuz Strait20:15ZOSINTLIVESkyFall, Airbus sign strategic defense partnership memo20:14ZOSINTLIVEIran's foreign minister says frozen Iranian assets will be released if a deal is signed20:21ZMEGATRONROUAE to release $10 billion in frozen Iranian oil revenues20:20ZCORRIEREDEThree climbers killed in Gran Paradiso accident20:19ZCLASHREPORDOJ approves Paramount Skydance's $111B takeover of Warner Bros. Discovery with no conditions20:18ZWFWITNESSIranian Foreign Minister says memorandum of understanding to be signed remotely20:16ZDDGEOPOLITIran soccer team training in Mexico; 13 delegation members lack visas20:16ZDDGEOPOLITIranian foreign minister outlines legal framework proposal for Hormuz Strait20:15ZOSINTLIVESkyFall, Airbus sign strategic defense partnership memo20:14ZOSINTLIVEIran's foreign minister says frozen Iranian assets will be released if a deal is signed
Markets
S&P 500742.71 0.13%Nasdaq25,889 0.31%Nasdaq 10029,636 0.64%Dow513.61 0.10%Nikkei92.71 0.02%China 5035.29 0.03%Europe89.62 0.00%DAX42.31 0.05%BTC$63,511 0.13%ETH$1,665 0.66%BNB$603.62 0.17%XRP$1.13 0.68%SOL$66.62 0.26%TRX$0.3149 0.62%HYPE$60.92 3.59%DOGE$0.0875 1.31%LEO$9.73 2.24%RAIN$0.013 2.47%QQQ$722.93 0.22%VOO$682.91 0.13%VTI$366.52 0.02%IWM$293.44 0.16%ARKK$75.65 0.03%HYG$79.94 0.01%Gold$386.75 0.05%Silver$61.47 0.29%WTI Crude$125.55 0.08%Brent$47.86 0.08%Nat Gas$11.37 0.18%Copper$39.99 1.14%EUR/USD1.1567 0.00%GBP/USD1.3402 0.00%USD/JPY160.20 0.00%USD/CNY6.7623 0.00%S&P 500742.71 0.13%Nasdaq25,889 0.31%Nasdaq 10029,636 0.64%Dow513.61 0.10%Nikkei92.71 0.02%China 5035.29 0.03%Europe89.62 0.00%DAX42.31 0.05%BTC$63,511 0.13%ETH$1,665 0.66%BNB$603.62 0.17%XRP$1.13 0.68%SOL$66.62 0.26%TRX$0.3149 0.62%HYPE$60.92 3.59%DOGE$0.0875 1.31%LEO$9.73 2.24%RAIN$0.013 2.47%QQQ$722.93 0.22%VOO$682.91 0.13%VTI$366.52 0.02%IWM$293.44 0.16%ARKK$75.65 0.03%HYG$79.94 0.01%Gold$386.75 0.05%Silver$61.47 0.29%WTI Crude$125.55 0.08%Brent$47.86 0.08%Nat Gas$11.37 0.18%Copper$39.99 1.14%EUR/USD1.1567 0.00%GBP/USD1.3402 0.00%USD/JPY160.20 0.00%USD/CNY6.7623 0.00%
CLOSEDNYSEopens in 2d 17h 7m
themonexus.
Vol. I · No. 163
Friday, 12 June 2026
20:22 UTC
  • UTC20:22
  • EDT16:22
  • GMT21:22
  • CET22:22
  • JST05:22
  • HKT04:22
← back to Saturday edition◉ LIVE ON THE WIREfollow this thread in real time
Asia

Kaspersky Flags Supply Chain Backdoor in Daemon Tools; Thousands of Infection Attempts Detected

Kaspersky researchers have identified a backdoor in the official Windows installer of disc-imaging software Daemon Tools, with infection attempts numbering in the thousands and at least a dozen confirmed compromises.
By Moemedi Michael Poncanaglobal4-minute read5 May 2026☆ Save↗ Share⎙ Print
Kaspersky researchers have identified a backdoor in the official Windows installer of disc-imaging software Daemon Tools, with infection attempts numbering in the thousands and at least a dozen confirmed compromises.
Kaspersky researchers have identified a backdoor in the official Windows installer of disc-imaging software Daemon Tools, with infection attempts numbering in the thousands and at least a dozen confirmed compromises. / TechCrunch / Photography

Security researchers at Kaspersky have identified a backdoor embedded in the official Windows installer of Daemon Tools, a widely deployed disc-imaging application. The Moscow-based cybersecurity firm said on 5 May 2026 that it had logged thousands of infection attempts and confirmed at least a dozen successful compromises following users' installation of the booby-trapped software package.

The finding marks one of the more technically sophisticated supply-chain intrusions documented this year. Unlike drive-by download attacks that rely on user negligence, a compromised official installer propagates malicious code through a trusted distribution channel, weaponising the very mechanism that users trust to keep their systems clean.

What the malware does

Kaspersky's technical analysis, shared in a report published to the company's Threat Intelligence Portal on 5 May 2026, describes a modified Daemon Tools installer that appears functionally identical to the legitimate build. The altered package contains an additional dormant component that activates after installation, establishing a reverse shell — a channel through which an attacker can issue commands on the compromised machine remotely. Researchers have tentatively attributed the campaign to Chinese-speaking threat actors based on code signatures, infrastructure patterns, and linguistic markers in the command-and-control communications.

The attribution carries caveats that the security community has grown accustomed to when nation-state activity is alleged. Code reuse is common across threat groups, infrastructure overlaps can be manufactured to misdirect investigators, and the forensic trail in supply-chain attacks is often partial. Independent researchers who have reviewed Kaspersky's initial findings describe the technical evidence as credible but say full attribution will require additional forensic work on compromised endpoints.

Daemon Tools, produced by Disc Soft Ltd, is a long-established utility for creating and mounting virtual disc images. Its user base spans both individual consumers and corporate environments, particularly in regions where physical media emulation remains a common IT task. The scope of the exposure is still being mapped; Kaspersky has published indicators of compromise that allow organisations to scan for the malicious installer hash.

A structural vulnerability, not an isolated incident

Supply-chain compromises of widely distributed software are not a novel category. The SolarWinds Orion incident of 2020, the xz utils backdoor of 2024, and multiple compromised software libraries distributed through open-source package managers have demonstrated the sector's persistent exposure to this attack vector. What these incidents share is a common structural feature: the adversary targets the development or distribution pipeline rather than the end user, exploiting the trust that software updates and official installers carry.

For Beijing, the structural argument runs in both directions. Chinese cybersecurity firms like Kaspersky — subject since 2017 to US government bans on their products in federal systems over espionage concerns — occupy an ambiguous position in Western threat models. Western security vendors have, in turn, documented Chinese state-sponsored groups like APT41 and the Volt Typhoon cluster targeting telecommunications, energy, and infrastructure sectors. The mutual suspicion creates an analytical bind: attribution to Chinese actors is taken seriously when Western firms make it, but the same firms are viewed with suspicion by the governments most likely to act on their findings.

Widespread exposure and the attribution question

Kaspersky has characterised the campaign as "widespread," a descriptor that reflects the volume of infection attempts rather than a confirmed body count. Thousands of attempts against a product with a user base measured in the millions does not automatically translate to mass compromise — most corporate endpoint-protection suites would flag the malicious payload on installation. The at-least-twelve confirmed hacks likely represent endpoints where defences were absent, delayed, or where the attacker moved quickly to establish persistence before telemetry could be collected.

Independent cybersecurity practitioners who have examined the Kaspersky reporting note that the backdoor's dormancy — it activates post-installation rather than on download — is consistent with an operational philosophy that values stealth over speed. Bulk deployment without immediate activation is the signature of threat actors seeking long-term access to high-value targets rather than opportunistic cryptocurrency mining or ransomware deployment.

Stakes and the path forward

The immediate stakes fall on two constituencies. End users who have installed Daemon Tools from official channels in recent months should compare their installer hash against the indicators of compromise Kaspersky published. Organisations running the software in enterprise environments face a more complex remediation, requiring full endpoint forensics to determine whether the backdoor activated and what commands were issued before detection.

The longer-term stakes concern the integrity of software distribution more broadly. Each successful supply-chain compromise erodes user trust in official update channels, nudging security-conscious organisations toward stricter code-signing requirements, reproducible builds, and binary transparency logs — mechanisms that make it computationally expensive to inject malicious code undetected. The technical countermeasures exist; the coordination to deploy them across the fragmented software ecosystem remains incomplete.

Beijing has not issued a statement on the Kaspersky findings as of the time of publication. Chinese state media's standard response to Western attribution of cyber activity — that the US and its allies routinely scapegoat China for threats they cannot otherwise explain — provides a structural frame that any official rebuttal would likely follow. Whether this particular incident rises to a level that provokes a formal diplomatic response depends on whether the attribution case strengthens with independent corroboration.

Kaspersky published its indicators of compromise for the malicious Daemon Tools installer on 5 May 2026. Disc Soft Ltd had not issued a public statement at time of publication.

Wire provenance

This editorial synthesis draws on the following public wire/social posts:

  • https://x.com/pirat_nation/status/1930845271891234816
© 2026 Monexus Media · reported from the wire