A sustained supply-chain attack on Daemon Tools, a widely trusted Windows utility for mounting disk images, has delivered malicious payloads to systems worldwide through trojanized installer files. Security researchers at Kaspersky uncovered the campaign, which persisted for weeks and remained active at the time of their report.
The attack began on April 8 and was still ongoing when Kaspersky disclosed the findings. Attackers compromised the official Daemon Tools update infrastructure, replacing legitimate installer files with malicious versions signed by the developer’s valid digital certificate. Once installed, these backdoored executables execute malware at system startup, evading many detection mechanisms.
Malware profile and attack scope
The primary malware strain collects sensitive system information, including MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locale settings. This data is transmitted to attacker-controlled command-and-control servers. According to Kaspersky, the campaign targeted thousands of machines across more than 100 countries.
The attack appears selective. Out of the total infected systems, only about a dozen machines—belonging to organizations in retail, scientific research, government, and manufacturing sectors—received a secondary payload. This suggests the attackers used the initial data collection phase to identify high-value targets before deploying additional malicious code.
Affected versions and mitigations
Kaspersky identified affected versions as Daemon Tools 12.5.0.2421 through 12.5.0.2434. The compromised installer files were distributed through the official Daemon Tools website, making the attack particularly insidious. Users who installed Daemon Tools during the campaign period should assume their systems may be compromised, even if the software appears to function normally.
To detect potential infections, users should check installed software versions and scan systems for unusual network activity or unauthorized processes. Kaspersky recommended revoking trust in any Daemon Tools executables signed during the attack window and restoring from clean backups if necessary. Neither Kaspersky nor the Daemon Tools developer AVB responded to requests for further details beyond the initial disclosure.
Supply-chain attacks rise as a persistent threat
This incident highlights the growing risk of supply-chain attacks, where attackers compromise widely used software to distribute malware to numerous downstream users. Such attacks are difficult to defend against because they leverage legitimate software distribution channels and valid cryptographic signatures, undermining trust in established update mechanisms.
As software supply chains become more complex and interconnected, organizations must implement layered security measures, including endpoint detection, network monitoring, and strict software update validation. Users should remain vigilant about verifying software authenticity and applying security patches promptly.
The Daemon Tools campaign demonstrates that even mature, widely adopted utilities are not immune to sophisticated supply-chain compromises, underscoring the need for continuous vigilance in cybersecurity practices.
AI summary
Daemon Tools gibi yaygın disk imaj yazılımlarında tespit edilen arka kapı saldırısı hakkında detaylar. Saldırının nasıl çalıştığını, kimleri hedef aldığını ve korunma yöntemlerini öğrenin.
