Breaking: Daemon Tools Backdoored in Ongoing Supply Chain Attack
A critical supply chain attack has compromised the widely used disk imaging software Daemon Tools, security researchers at Kaspersky announced Tuesday. The attack began on April 8 and remains active, with malicious updates signed by the developer's official digital certificate being pushed to users via the official website.
"This is a sophisticated attack that leverages the trust users place in legitimate software updates," said a Kaspersky researcher. "The malware is executed at boot time, making it particularly hard to detect." Thousands of machines across more than 100 countries have been targeted, though only about 12 have received a second-stage payload.
Infected Versions and Payload Details
Affected versions include Daemon Tools 12.5.0.2421 through 12.5.0.2434. The infection appears to be limited to Windows systems. The initial payload collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales, sending them to an attacker-controlled server.
Kaspersky noted that the second-stage payload, deployed to a select group of retail, scientific, government, and manufacturing organizations, suggests a targeted espionage campaign. Neither Kaspersky nor developer AVB could be reached for additional comments.
Background
Daemon Tools is widely used for mounting disk images, with millions of downloads. Supply chain attacks, where attackers compromise the software distribution pipeline, are increasingly common. Past incidents include the SolarWinds and Kaseya attacks.
This attack is notable for its use of a stolen or compromised certificate, making the malicious files appear legitimate. Users who downloaded Daemon Tools after April 8 are at risk.
What This Means
Users should immediately check their Daemon Tools version and update to the latest secure build if available. Organizations should verify the integrity of their software downloads and consider using endpoint detection tools to scan for the specific payload indicators.
The attack underscores the need for software vendors to implement stronger code-signing protections and for users to exercise caution even with signed updates. As supply chain attacks grow more sophisticated, proactive monitoring and incident response plans are essential.