In a concerning development for software supply chain security, researchers have uncovered a monthlong compromise affecting Daemon Tools, a popular disk mounting utility. The attack, active since April 8, uses official digital signatures to push malware through the developer's own update mechanism. Below are six critical facts about this ongoing threat, from how it works to who is at risk.
1. The Attack Timeline and Discovery
On April 8, the supply-chain attack on Daemon Tools began, and it remained active as of the latest report by Kaspersky on May 7. The security firm discovered that malicious updates were being served from the developer's own servers, signed with the official digital certificate. This allowed the malware to bypass standard security checks. Neither Kaspersky nor the developer (AVB) provided immediate additional details, but the incident highlights a growing trend of attackers targeting software update pipelines.
2. Affected Versions and Platforms
The compromised versions are limited to Daemon Tools 12.5.0.2421 through 12.5.0.2434 running on Windows. Users on other operating systems appear unaffected. If you are using a version within this range, your software may have been backdoored. The specific range suggests the attackers had limited access to the build system or update server, but long enough to inject malicious code into multiple release builds.
3. Infection Mechanism: Supply-Chain with Signed Installers
The attackers did not rely on phishing or direct user error. Instead, they compromised the update infrastructure of AVB, the developer of Daemon Tools. Installers downloaded from the official website or pushed via updates were signed with the company's legitimate digital certificate. This means the malware appeared trustworthy to antivirus software and users alike. Once executed, the malicious code infects Daemon Tool's executables, ensuring it runs every time the system boots.
4. Initial Payload and Data Theft
The first-stage malware is a reconnaissance tool. It collects a range of system information, including MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This data is sent to an attacker-controlled command-and-control server. The collection helps attackers profile victims and decide which ones should receive the more dangerous second-stage payload. Without this initial reconnaissance, higher-value targets might remain undiscovered.
5. The Selective Targeting of High-Value Organizations
Out of thousands of infected machines across more than 100 countries, only about 12 systems received an additional malicious payload. These belong to retail, scientific, government, and manufacturing organizations. This indicates a targeted attack: the initial broad infection was a fishing expedition to identify entities of interest. The second-stage payload likely includes more dangerous capabilities, such as data exfiltration or ransomware, though Kaspersky has not disclosed specifics.
6. Defensive Challenges and Recommendations
Because the malware is delivered using the developer's own digital signature, traditional defenses like antivirus and application whitelisting are less effective. The attack is hard to detect until behavioral analysis flags the communication with unknown servers. Users should check if they are running an affected version (12.5.0.2421 through 12.5.0.2434) and immediately update to a patched version. Organizations should monitor for unusual network traffic from Daemon Tools processes and review their supply chain risk management practices.
Conclusion: A Wake-Up Call for Software Supply Chains
The Daemon Tools incident is a stark reminder that even trusted software vendors can be turned into attack vectors. With signed updates, attackers can bypass many layers of defense. Users must stay vigilant, promptly apply updates from trusted sources, and employ endpoint detection tools that look for anomalous behavior rather than relying solely on signature-based detection. As supply-chain attacks become more sophisticated, awareness and proactive security hygiene are our best defenses.