Daemon Tools Supply-Chain Attack: Malicious Updates Exposed in Month-Long Cyberattack

Daemon Tools, a widely used application for mounting disk images, has been compromised in a month-long supply-chain attack. Researchers from Kaspersky reported on Tuesday that malicious updates were pushed from the developer’s official servers, infecting users' systems.

The attack began on April 8 and remained active as of the time of Kaspersky’s disclosure. Installers signed with the developer’s official digital certificate and downloaded directly from the official website were infected. These compromised versions inject malware into Daemon Tools executables, causing the malicious code to execute at system boot.

Kaspersky did not explicitly confirm the targeted operating system, but technical analysis indicates that only Windows versions 12.5.0.2421 through 12.5.0.2434 were affected. Neither Kaspersky nor the developer, AVB, could be reached for immediate comment.

How the Malware Operates

The infected versions of Daemon Tools contain an initial payload designed to gather sensitive system information. This includes:

• MAC addresses
• Hostnames
• DNS domain names
• Running processes
• Installed software
• System locales

The collected data is then transmitted to an attacker-controlled server. According to Kaspersky, thousands of machines across more than 100 countries were targeted by this campaign.

Targeted Follow-On Attacks

Out of the thousands of infected machines, approximately 12 were subsequently targeted with a secondary payload. These machines belonged to organizations in retail, scientific research, government, and manufacturing sectors. This selective targeting suggests the supply-chain attack was highly focused on specific high-value targets.