Daemon Tools Users Targeted in Month-Long Supply Chain Attack, Kaspersky Reveals
Daemon Tools hit by supply chain attack since April 8; malicious signed updates infect thousands, with selective follow-up payloads targeting organizations.
Breaking News — A widely used disk imaging application, Daemon Tools, has been compromised in a supply chain attack that has been active since April 8, cybersecurity firm Kaspersky announced Tuesday. The attack has pushed malicious updates signed with the developer's official digital certificate, infecting thousands of machines across more than 100 countries.
"This is a highly sophisticated attack that targets the software supply chain itself," said a Kaspersky researcher in a statement. "Attackers are exploiting the trust users place in digitally signed updates from legitimate developers."
Affected Versions
The infected versions include Daemon Tools versions 12.5.0.2421 through 12.5.0.2434. Only Windows versions appear to be affected, based on technical details provided by Kaspersky. Users who downloaded updates from the official website during this period may have installed the backdoored software.
Note: Thousands of machines were targeted, but only about 12 — belonging to retail, scientific, government, and manufacturing organizations — received a follow-up payload, indicating a highly selective campaign.
What the Malware Does
The initial payload collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This data is sent to an attacker-controlled server. The malware then executes at boot time, ensuring persistence on the infected system.
Background
Daemon Tools is a popular utility for mounting virtual disk images, used by millions of IT professionals and gamers worldwide. Supply chain attacks occur when hackers compromise a software vendor's infrastructure to distribute malware through legitimate updates. This type of attack is particularly difficult to defend against because the updates are signed with the developer's own digital certificate, appearing authentic to security software and users alike.
The attack was discovered by Kaspersky researchers who noticed anomalies in the digital signatures. They traced the malicious updates to the developer's update server, which had been hijacked for over a month.
What This Means
This attack underscores the growing threat of supply chain compromises. Users of Daemon Tools should immediately check their version number and, if affected, remove the software and run a full system scan. Organizations must verify the integrity of all software updates, even those signed by trusted developers.
"This is a wake-up call for the industry," added the Kaspersky researcher. "We need better methods to validate signed binaries beyond just the signature itself."
How to Protect Yourself
- Check your Daemon Tools version — if between 12.5.0.2421 and 12.5.0.2434, uninstall immediately.
- Run a reputable antivirus or anti-malware scan.
- Monitor network traffic for suspicious outbound connections.
- Consider using application control policies in enterprise environments.
Kaspersky has provided indicators of compromise (IOCs) on its blog. Users can also report suspicious activity to local cybersecurity authorities. The developer of Daemon Tools, AVB, has not yet issued a public statement.
Learn more about supply chain attacks in the background section.