Massive Supply-Chain Attack Infects Daemon Tools Users with Malware for Over a Month
Critical Security Alert: Daemon Tools Backdoored in Ongoing Supply-Chain Attack
Daemon Tools, a widely used disk imaging utility, has been compromised in a supply-chain attack that began on April 8 and continues as of this report. Security firm Kaspersky revealed that malicious updates signed with the developer's official digital certificate have been pushed to users downloading the software from the official website.
"The attack has been active for over a month, and infected installers are still being distributed," said a Kaspersky researcher. "This is a sophisticated attack that targets users through trusted channels."
See the Background section for more context and What This Means for implications.
Affected Versions and Scope
Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 are affected. Only Windows versions are impacted, based on technical details. Kaspersky reported that thousands of machines across more than 100 countries have been infected.
Out of the infected machines, approximately 12—belonging to retail, scientific, government, and manufacturing organizations—have received a follow-on payload, indicating a targeted attack on specific groups. "This suggests a highly selective operation," the researcher added.
Background
Daemon Tools is a popular application for mounting disk images, used by millions worldwide. Supply-chain attacks are particularly dangerous because they compromise software at the source, bypassing traditional security measures. Attackers can inject malware into legitimate updates that users trust.
This incident follows a pattern of increasing supply-chain attacks, such as the SolarWinds breach. "These attacks are hard to defend against because the malware comes from a trusted source," noted a cybersecurity expert. Neither Kaspersky nor developer AVB could be reached for additional comment at the time of publication.
What This Means
Users of Daemon Tools should immediately check their version and verify digital signatures. If you have installed any version between 12.5.0.2421 and 12.5.0.2434, your system may be compromised. The initial payload collects sensitive system information including MAC addresses, hostnames, and running processes, sending it to an attacker-controlled server.
Organizations in retail, science, government, and manufacturing should conduct thorough incident response. The attack highlights the need for enhanced software supply chain security and runtime monitoring.
Kaspersky advises users to update to the latest version after confirming it is free of malware. However, until the developer addresses the breach, caution is advised. Update: Kaspersky has not yet provided additional details on remediation.