Supply-Chain Attack Compromises Daemon Tools: Malicious Updates Infect Thousands
Introduction
In a concerning development for cybersecurity, the widely used disk image mounting application Daemon Tools has been compromised through a supply-chain attack that lasted for over a month. Researchers at Kaspersky revealed on Tuesday that malicious updates were delivered via the official servers of the app's developer, affecting a significant number of users worldwide. This incident highlights the growing threat of supply-chain attacks, where trusted software is turned into a vector for malware distribution.
Attack Details: A Month-Long Compromise
According to Kaspersky's report, the attack began on April 8 and remained active as of the publication date. The malicious updates were signed using the developer's official digital certificate, which allowed them to bypass standard security checks. Users who downloaded Daemon Tools installers from the official website unknowingly received infected versions. The compromised versions include builds 12.5.0.2421 through 12.5.0.2434, and based on technical evidence, the malware only targets systems running Windows. Neither Kaspersky nor AVB (the developer of Daemon Tools) could provide additional comments at the time of reporting.
How the Backdoor Operates
The infection process is subtle: when an affected installer is executed, it replaces legitimate Daemon Tools executables with corrupted ones. This ensures that the malware activates automatically during system boot, giving it persistence and making detection more difficult. The malicious code is designed to evade antivirus software by leveraging the trusted signature of the legitimate developer.
Payload and Targets: What the Attackers Stole
The initial payload deployed by the attackers is a data collection module. It gathers a range of system information, including:
- MAC addresses
- Hostnames
- DNS domain names
- List of running processes
- Installed software inventory
- System locale settings
This data is then transmitted to a command-and-control server operated by the attackers. Kaspersky reported that thousands of machines across more than 100 countries were affected. However, the attackers showed selective interest—only about 12 machines received a second-stage payload. These targeted machines belonged to organizations in retail, scientific research, government, and manufacturing sectors. This limited distribution of the advanced payload suggests that the attackers are conducting targeted espionage rather than indiscriminate data theft.
Why Only a Few Received the Follow-On Payload?
The follow-on payload is more sophisticated and likely designed for deeper system compromise, data exfiltration, or network propagation. The fact that only a small number of high-value targets received it indicates a carefully planned operation, possibly by a state-sponsored group or an advanced persistent threat (APT) actor. The attackers may have used the initial data collection to profile victims and select those with the most valuable information.
Hard to Defend Against: Supply-Chain Challenges
Supply-chain attacks like this one are particularly dangerous because they exploit the trust users place in official software sources. Since the updates were signed with a legitimate digital certificate, traditional defenses such as signature-based antivirus or reputation checks would not flag them as malicious. The attack vector is similar to previous high-profile incidents, including the SolarWinds breach and the compromise of the CCleaner software. Organizations are advised to implement additional security measures:
- Application whitelisting – only allow approved executables to run.
- Behavioral analysis – monitor processes for unusual network connections or file modifications.
- Regular certificate revocation checks – ensure that software signatures are still valid and not misused.
Kaspersky's report did not specify whether the compromised certificate has been revoked, but users should update to a patched version once available and consider using alternative disk mounting tools in the interim.
Conclusion: Implications and Next Steps
The Daemon Tools backdoor serves as a stark reminder that even widely trusted applications can be weaponized. With thousands of machines affected across numerous countries, the incident underscores the need for continuous monitoring and a defense-in-depth strategy. Users of Daemon Tools should immediately check their version numbers (12.5.0.2421 to 12.5.0.2434) and update to a clean build as soon as the developer releases an update. For businesses, this incident reinforces the importance of scrutinizing software supply chains and implementing robust endpoint detection and response (EDR) solutions.
As investigations continue, the cybersecurity community will be watching closely to see if the attackers release additional payloads or target other software in similar ways. Until then, vigilance and proactive security hygiene remain the best defenses.
Related Articles
- What's New in Rust 1.95.0? Key Features and Updates
- Why Type Construction and Cycle Detection
- REZ Transmission Line Rerouted to Protect Caves, Secures Support from 50 Additional Landowners
- 10 Ways AI Data Centers Are Reshaping Texas Housing Construction
- 10 Essential Insights Into Why Twitter's Demise Is a Wake-Up Call for Users
- 6 Must-Know Benefits of Microsoft 365 (Now $30 Off with AI Assistant Included)
- Kubernetes v1.36 Enhances Pod Resource Management with Beta In-Place Vertical Scaling
- Beyond Bots vs. Humans: The New Frontier of Web Protection