Massive Supply-Chain Attack Infects Daemon Tools Users with Malware for Over a Month
Critical Security Alert: Daemon Tools Backdoored in Ongoing Supply-Chain Attack
Daemon Tools, a widely used disk imaging utility, has been compromised in a supply-chain attack that began on April 8 and continues as of this report. Security firm Kaspersky revealed that malicious updates signed with the developer's official digital certificate have been pushed to users downloading the software from the official website.
"The attack has been active for over a month, and infected installers are still being distributed," said a Kaspersky researcher. "This is a sophisticated attack that targets users through trusted channels."
See the Background section for more context and What This Means for implications.
Affected Versions and Scope
Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 are affected. Only Windows versions are impacted, based on technical details. Kaspersky reported that thousands of machines across more than 100 countries have been infected.
Out of the infected machines, approximately 12—belonging to retail, scientific, government, and manufacturing organizations—have received a follow-on payload, indicating a targeted attack on specific groups. "This suggests a highly selective operation," the researcher added.
Background
Daemon Tools is a popular application for mounting disk images, used by millions worldwide. Supply-chain attacks are particularly dangerous because they compromise software at the source, bypassing traditional security measures. Attackers can inject malware into legitimate updates that users trust.
This incident follows a pattern of increasing supply-chain attacks, such as the SolarWinds breach. "These attacks are hard to defend against because the malware comes from a trusted source," noted a cybersecurity expert. Neither Kaspersky nor developer AVB could be reached for additional comment at the time of publication.
What This Means
Users of Daemon Tools should immediately check their version and verify digital signatures. If you have installed any version between 12.5.0.2421 and 12.5.0.2434, your system may be compromised. The initial payload collects sensitive system information including MAC addresses, hostnames, and running processes, sending it to an attacker-controlled server.
Organizations in retail, science, government, and manufacturing should conduct thorough incident response. The attack highlights the need for enhanced software supply chain security and runtime monitoring.
Kaspersky advises users to update to the latest version after confirming it is free of malware. However, until the developer addresses the breach, caution is advised. Update: Kaspersky has not yet provided additional details on remediation.
Related Articles
- 10 Key Updates for .NET Developers in Ubuntu 26.04
- PC Enthusiasts Mourn Loss of Functionality as Tempered Glass Cases Dominate Market
- Ask Jeeves Shuts Down After Three Decades – End of an Era for Pioneering Search Engine
- React Native 0.82: The Shift to a New Architecture Era
- FBI Recovers Deleted Signal Messages from iPhone Notification Cache
- Bridging the Gap: Making Accessibility a Design Habit
- How to Master Battlefield 6 Season 3: Vehicles, Netcode & Gadget Guide
- Navigating the Apple Intelligence Settlement: A Step-by-Step Guide to Claiming Your Compensation