Daemon Tools Users Urged to Update After Month-Long Supply Chain Attack Delivers Malicious Updates
Breaking: Daemon Tools Backdoored in Ongoing Supply Chain Attack
A critical supply chain attack has compromised the widely used disk imaging software Daemon Tools, security researchers at Kaspersky announced Tuesday. The attack began on April 8 and remains active, with malicious updates signed by the developer's official digital certificate being pushed to users via the official website.
"This is a sophisticated attack that leverages the trust users place in legitimate software updates," said a Kaspersky researcher. "The malware is executed at boot time, making it particularly hard to detect." Thousands of machines across more than 100 countries have been targeted, though only about 12 have received a second-stage payload.
Infected Versions and Payload Details
Affected versions include Daemon Tools 12.5.0.2421 through 12.5.0.2434. The infection appears to be limited to Windows systems. The initial payload collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales, sending them to an attacker-controlled server.
Kaspersky noted that the second-stage payload, deployed to a select group of retail, scientific, government, and manufacturing organizations, suggests a targeted espionage campaign. Neither Kaspersky nor developer AVB could be reached for additional comments.
Background
Daemon Tools is widely used for mounting disk images, with millions of downloads. Supply chain attacks, where attackers compromise the software distribution pipeline, are increasingly common. Past incidents include the SolarWinds and Kaseya attacks.
This attack is notable for its use of a stolen or compromised certificate, making the malicious files appear legitimate. Users who downloaded Daemon Tools after April 8 are at risk.
What This Means
Users should immediately check their Daemon Tools version and update to the latest secure build if available. Organizations should verify the integrity of their software downloads and consider using endpoint detection tools to scan for the specific payload indicators.
The attack underscores the need for software vendors to implement stronger code-signing protections and for users to exercise caution even with signed updates. As supply chain attacks grow more sophisticated, proactive monitoring and incident response plans are essential.
Related Articles
- Lessons from the Courtroom: How a Legal Misstep Unfolded in Musk v. Altman
- Designing with Heart: Bridging the Gap Between Intent and Accessible Websites
- 8 Ways Ubuntu's New Permission Prompts Put You in Control
- Critical ASP.NET Core Flaw Allows Total System Takeover on Linux, macOS – Patch Now
- Qualcomm XPAN Audio Technology: New Products and Updates on the Horizon
- Rust 1.94.1 Patch Release: Key Fixes and Security Update Explained
- How to Determine Whether Humans Are More Closely Related to Cats or Dogs
- A Step-by-Step Guide to Managing App Permissions in Ubuntu's New Prompt System