Backdoor in Daemon Tools: Thousands of Windows PCs Infected

The attack dynamic: how a backdoor enters a company

On May 5, 2026, Kaspersky researchers published a technical analysis that immediately captured the attention of the cybersecurity community. According to what was reported by TechCrunch, the attack vector is Daemon Tools, software widely used in the Windows environment for managing disk images in ISO format and similar.

Specifically, attackers reportedly distributed modified versions of the program through unofficial channels. Users who downloaded and installed these versions unknowingly opened a remote access backdoor to their systems. Therefore, the damage is not related to a vulnerability in the original software, but rather to the replacement of the installer with a compromised copy.

Kaspersky estimates thousands of infection attempts and at least twelve confirmed compromises. However, the actual number could be significantly higher, considering that many SMEs lack advanced detection tools.

Who's behind it: the Chinese hacker hypothesis

Kaspersky researchers attribute the operation to a threat group presumably linked to China. However, attribution in the cyber realm always remains a complex operation. In fact, the technical indicators—including command and control infrastructure and obfuscation techniques—are consistent with campaigns previously documented by other security vendors.

According to Gartner Cybersecurity Insights, Software supply chain attacks are constantly increasing. Consequently, it's no surprise that popular software like Daemon Tools has become a strategic vector. Similarly, similar incidents have involved tools like CCleaner and SolarWinds in the past.

In addition to this, the choice of Daemon Tools is not random. The software is particularly widespread in small to medium-sized business contexts, often lacking strict policies on installation management. Therefore, the profile of potential victims exactly matches that of Italian SMEs.

Immediate impact on Italian SMEs with Windows machine fleets

Italian small and medium-sized businesses represent a significant share of Windows users in Europe. In many cases, internal IT departments are small or absent. For this reason, software management often occurs informally, with downloads from unverified sources.

So, the concrete risk for an SME is twofold. First, there's the risk of sensitive data being exfiltrated — credentials, customer data, financial information — through the installed backdoor. Then, once an endpoint is compromised, the attacker can move laterally within the company network, reaching critical systems.

We of SHM Studio We work daily with SMEs that manage B2B and retail customer data. Therefore, we understand well how a single compromised endpoint can become the entry point for a much larger breach. The digital strategy A company's operations cannot proceed without a minimum level of cybersecurity.

What to do now: priority actions in the next 48 hours

Faced with an active and documented threat, the response must be swift and methodical. Here are the priority actions that every IT manager or SME owner should initiate immediately.

• Installation Census Check all company devices for the presence of Daemon Tools. Verify the installed version and the hash of the executable file against the official ones.
• Preventive isolation Any machine with dubious origin installations must be isolated from the company network until the analysis is complete.
• Scan with updated tools: Perform a full scan with EDR solutions or antivirus software updated with the latest definitions. Kaspersky has already released specific signatures for this threat.
• Download Policy Review: Introduce or strengthen company policies on software installation, limiting downloads to official and verified channels only.
• Notify the DPO: If the compromised systems process personal data, assess whether you are required to notify the Data Protection Authority within 72 hours, as required by the GDPR.

Additionally, it is advisable to consult the CISA Catalog of Actively Exploited Vulnerabilities for real-time updates on this and other related threats.

The construction site is still open: supply chain security as a structural priority

This incident is not an isolated event. On the contrary, it fits into an established trend where attackers target the software supply chain rather than the systems directly. According to recent McKinsey research, organizations that invest in software supply chain controls significantly reduce their exposed attack surface.

However, for many Italian SMEs, supply chain security remains an abstract concept. In fact, daily operational priorities leave little room for strategic security planning. Yet, as the Daemon Tools case demonstrates, even seemingly trivial utility software can become a critical vector.

For this reason, the AI and automation consulting What SHM Studio offers SMEs always includes an overall digital risk assessment. Integrating security into digitalization processes is not an additional cost: it is a necessary condition for operational continuity. Similarly, the choice of digital tools—from web systems all marketing platforms — must consider security requirements from the design phase.

Outlook: What awaits us in the coming months

The campaign documented by Kaspersky may not be over. Therefore, in the coming weeks, new indicators of compromise and additional victims are likely to emerge. Furthermore, it is reasonable to expect that other Windows utility software—with large user bases and limited distribution controls—will be targeted with similar techniques.

In this scenario, Italian SMEs operating in B2B and retail must accelerate the transition to more structured IT management models. This doesn't necessarily mean setting up an in-house SOC. Instead, it means adopting minimal digital hygiene practices: centralized update management, privileged access control, and regular staff training.

Finally, who manages digital campaigns — on Google Ads, you LinkedIn or through activities of SEO — you must consider that a compromised system can invalidate months of work. Analytics data, advertising platform credentials, and content from the corporate blog they are all exposed assets in case of a breach. Therefore, cybersecurity is not exclusively a technical issue: it is a component of digital marketing and online reputation. To learn more or request an evaluation, you can Contact the SHM Studio team. The Strategic copywriting and a company's digital presence is worth as much as the security of the systems that host them.