Kaspersky suspects Chinese hackers planted a backdoor in Daemon Tools in a “large-scale” attack.

Security researchers at Kaspersky say they have identified a malicious backdoor implanted in popular, long-running Windows disk imaging software, Daemon Tools.

The Russian cybersecurity company said on Tuesday that data collected from computers around the world running Kaspersky antivirus software shows that a “large-scale” attack is underway, targeting thousands of Windows computers using Daemon Tools.

The hackers, whom Kaspersky linked to a Chinese-speaking group based on malware analysis, used a backdoor in Daemon Tools to plant additional malware on dozens of computers in the retail, scientific and manufacturing sectors, as well as government systems. Kaspersky said the hacking of these specific computers involved a “targeted” effort.

The company said that the targeted organizations are located in Russia, Belarus and Thailand.

Kaspersky said the backdoor was first discovered on April 8.

Kaspersky said it contacted Disc Soft, the company that maintains Daemon Tools, but did not say whether the developer responded or took action. Kaspersky said the supply chain attack “remains active,” suggesting that hackers could still plant malware on thousands of computers running disk imaging software.

This is the latest in a series of so-called “supply chain” attacks that have targeted developers of popular software in recent months. Hackers are increasingly targeting the accounts of developers working on widely used code and software, and abusing this access to push malicious code to anyone who relies on the software. This approach allows hackers to break into a large number of computers at once when their malicious code is delivered as a software update.

Earlier this year, hackers linked to the Chinese government hijacked the popular text editing software Notepad++ to deliver malware to a number of organizations with interests in East Asia. Security researchers also warned of another attack last month targeting users who visited the CPUID website, which makes the popular HWMonitor and CPU-Z tools.

TechCrunch downloaded the Windows installer from the Daemon Tools website, and the file appeared to contain a backdoor when we checked it with online malware scanning service VirusTotal.

It is not known whether the macOS version of Daemon Tools was compromised, or whether other applications created by Disc Soft were affected.

When contacted for comment, a Disc Soft representative said they are “aware of the report and are currently investigating the situation.”

“Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this point, we are not in a position to confirm the specific details referenced in the report. However, we are taking all necessary steps to address any potential risks and to ensure the security of our users,” the representative said.

Do you know more about the cyber attack targeting Daemon Tools users? Did you receive an alert from your antivirus software telling you you’re affected? We want to hear from you. To communicate securely with this reporter, contact the Signal username zackwhittaker.1337.