Daemon Tools Under Siege: A Month-Long Supply Chain Attack Compromises Disk Imaging Software

The Breach: A Silent Infiltration of Daemon Tools

In a startling revelation that has sent ripples through the cybersecurity community, Daemon Tools—a widely trusted utility for mounting virtual disk images—has been weaponized in a prolonged supply-chain attack. According to researchers at Kaspersky, the compromise began on April 8 and was still active at the time of their disclosure. The attackers managed to inject malicious code directly into the software's official installer, which was then signed with the developer's authentic digital certificate and hosted on the official Daemon Tools website.

This insidious tactic allowed the malware to execute automatically every time the system booted, effectively granting the attackers a persistent foothold. While Kaspersky refrained from explicitly stating the target operating system, technical indicators strongly suggest that only Windows users running Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 are affected. Both Kaspersky and the software developer, AVB, have remained silent on additional details at the time of this writing.

Anatomy of the Attack: How the Backdoor Works

Stage One: Information Harvesting

The infected installer deploys an initial payload that acts as a reconnaissance tool. Once activated, it stealthily collects a wide array of system data, including:

• MAC addresses and hostnames of the infected machine
• DNS domain names and network configurations
• List of currently running processes and installed software
• System locale and language settings

This stolen information is then exfiltrated to an attacker-controlled server, giving the adversaries a detailed snapshot of each compromised environment. The campaign has already impacted thousands of machines spread across more than 100 countries, underscoring the global reach of the compromise.

Stage Two: Targeted Follow-On Payloads

While the initial infection was broad, the attackers exhibited a high degree of selectivity in deploying the next phase. Among the thousands of infected systems, only approximately 12 received a second, more dangerous payload. These targets belong to organizations in retail, scientific research, government, and manufacturing sectors—suggesting that the attackers are meticulously picking their battles for maximum impact or intelligence value.

This pattern is a hallmark of advanced persistent threats (APTs), where initial widespread compromise is used as a filter to identify high-value victims for deeper exploitation.

Why This Attack Is Especially Hard to Defend Against

Supply-chain attacks of this nature are particularly dangerous because they bypass traditional security layers. The malware is digitally signed by the software's legitimate developer, so it appears trustworthy to both users and automated security tools. Antivirus software, endpoint detection systems, and even manual inspections may fail to flag the installer as malicious because it carries a valid cryptographic signature.

Furthermore, the attack vector targets the update mechanism itself—a channel that users and administrators are conditioned to trust implicitly. Organizations that follow best practices by automatically deploying updates from official sources were not immune; in fact, they were inadvertently rolling out the backdoor to their entire fleet.

What Users and Admins Can Do to Mitigate Risk

While the attack is already widespread, there are steps that can be taken to limit further damage and protect against future incidents:

1. Verify Software Integrity: Before installing or updating Daemon Tools, check the file's digital signature and compare its checksum against known good values provided by the developer (if available).
2. Monitor for Indicators of Compromise: Look for unexpected connections to unknown IP addresses, unusual processes at boot time, and any Daemon Tools-related executables that were modified or created outside of normal update cycles.
3. Implement Application Control: Use endpoint security solutions that can enforce application whitelisting and restrict the execution of unsigned or unapproved binaries.
4. Segment Networks: Ensure that critical assets, especially those in government, scientific, and manufacturing environments, are isolated from systems that run everyday software like Daemon Tools.
5. Patch and Update with Caution: Even though this incident involves a compromised update channel, continuing to apply non-Daemon Tools security patches is essential. For this specific software, consider using only the latest version if it is confirmed clean, or remove the application entirely until a thorough investigation is complete.

The Bigger Picture: Supply Chain Security in the Spotlight

The Daemon Tools incident is yet another stark reminder that no software is immune to supply-chain compromise. As attackers continue to evolve their tactics, targeting the very pipelines through which legitimate software flows, both developers and end-users must adopt a more paranoid posture. The attack's month-long duration and the careful selection of follow-on targets indicate a well-resourced adversary with specific objectives.

Organizations should treat this as a wake-up call to audit their software supply chain, reconsider trust assumptions, and invest in behavioral monitoring tools that can detect anomalies even when traditional signatures fail. For now, Daemon Tools users are advised to check their versions, monitor for suspicious activity, and await official guidance from AVB and cybersecurity authorities.