Massive Supply-Chain Attack Infects Daemon Tools Users with Malware for Over a Month
Critical Security Alert: Daemon Tools Backdoored in Ongoing Supply-Chain Attack
Daemon Tools, a widely used disk imaging utility, has been compromised in a supply-chain attack that began on April 8 and continues as of this report. Security firm Kaspersky revealed that malicious updates signed with the developer's official digital certificate have been pushed to users downloading the software from the official website.
"The attack has been active for over a month, and infected installers are still being distributed," said a Kaspersky researcher. "This is a sophisticated attack that targets users through trusted channels."
See the Background section for more context and What This Means for implications.
Affected Versions and Scope
Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 are affected. Only Windows versions are impacted, based on technical details. Kaspersky reported that thousands of machines across more than 100 countries have been infected.
Out of the infected machines, approximately 12—belonging to retail, scientific, government, and manufacturing organizations—have received a follow-on payload, indicating a targeted attack on specific groups. "This suggests a highly selective operation," the researcher added.
Background
Daemon Tools is a popular application for mounting disk images, used by millions worldwide. Supply-chain attacks are particularly dangerous because they compromise software at the source, bypassing traditional security measures. Attackers can inject malware into legitimate updates that users trust.
This incident follows a pattern of increasing supply-chain attacks, such as the SolarWinds breach. "These attacks are hard to defend against because the malware comes from a trusted source," noted a cybersecurity expert. Neither Kaspersky nor developer AVB could be reached for additional comment at the time of publication.
What This Means
Users of Daemon Tools should immediately check their version and verify digital signatures. If you have installed any version between 12.5.0.2421 and 12.5.0.2434, your system may be compromised. The initial payload collects sensitive system information including MAC addresses, hostnames, and running processes, sending it to an attacker-controlled server.
Organizations in retail, science, government, and manufacturing should conduct thorough incident response. The attack highlights the need for enhanced software supply chain security and runtime monitoring.
Kaspersky advises users to update to the latest version after confirming it is free of malware. However, until the developer addresses the breach, caution is advised. Update: Kaspersky has not yet provided additional details on remediation.
Related Articles
- The Agentic Cloud Revolution: Your Questions Answered on Cloudflare’s Latest Innovations
- 10 Key Insights Into the Rural Guaranteed Minimum Income Initiative
- Transform Your Google Home Mini into a Private Smart Speaker with This $85 Open-Source Board
- How to Choose Between the Two Toyota Crown Signia Trims
- Google Chrome's Hidden AI Data File Swallows Up To 4GB of Storage, Users Report
- Breaking: Small Businesses Suffer from Financial Data Lag – Real-Time Insights Become a Survival Imperative
- David Attenborough Turns 100: A New Wasp Species Honours a Lifetime of Nature Storytelling
- Orion for Linux Beta v0.3 Adds Content Blocker and Download Manager