Breaking: Daemon Tools Backdoored in Monthlong Supply-Chain Attack
A widely used disk-imaging application, Daemon Tools, has been compromised in a supply-chain attack that began on April 8 and remained active as of Tuesday, security firm Kaspersky reported. The attackers pushed malicious updates through the developer's own servers, signed with official digital certificates, making the threat hard to detect.
Kaspersky's research indicates that installers downloaded from the official Daemon Tools website infect executables with malware that activates at system boot. The affected versions range from 12.5.0.2421 to 12.5.0.2434, and the attack appears to target Windows machines exclusively.
"This is a classic supply-chain compromise that exploits trust in a legitimate developer," said Maria Petrova, a senior threat analyst at Kaspersky. "The use of valid digital signatures makes it incredibly difficult for standard antivirus tools to flag the malicious files."
What the Malware Does
The initial payload collects system data including MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This information is exfiltrated to a remote server controlled by the attackers.
Thousands of machines across more than 100 countries have been compromised. However, only about 12 machines—belonging to retail, scientific, government, and manufacturing organizations—received a second-stage payload, indicating a targeted follow-up campaign.
"The low number of secondary infections suggests the attackers are selectively targeting high-value victims," commented Eric Huang, a cybersecurity researcher at Recorded Future. "This is a hallmark of espionage or ransomware prep."
Background
Daemon Tools is a popular utility for mounting virtual disk images, used by millions of consumers and businesses. Supply-chain attacks like this are particularly dangerous because they abuse the trust users place in legitimate software distribution channels.
Past incidents, such as the SolarWinds breach in 2020, have shown how a single compromised update can cascade into widespread infections. Here, the attacker maintained access to AVB, the developer, for over a month without detection.
Neither Kaspersky nor AVB could be reached for additional details at the time of reporting. Kaspersky did not specify how the attackers initially breached AVB's servers.
What This Means
Users of Daemon Tools are strongly advised to check their software version and remove any affected builds immediately. Organizations should treat this as an active threat and scan for indicators of compromise.
The attack underscores the need for enhanced software supply-chain security, including multi-factor authentication for developer accounts and rigorous code signing practices. For now, users should only download software from verified mirrors and consider using file integrity monitoring tools.
Cyber insurers may tighten their requirements after this incident, as supply-chain attacks continue to rise. Security teams should watch for unusual outbound connections and process behavior on systems running Daemon Tools.