Daemon Tools Users Urged to Update After Month-Long Supply Chain Attack Delivers Malicious Updates
Breaking: Daemon Tools Backdoored in Ongoing Supply Chain Attack
A critical supply chain attack has compromised the widely used disk imaging software Daemon Tools, security researchers at Kaspersky announced Tuesday. The attack began on April 8 and remains active, with malicious updates signed by the developer's official digital certificate being pushed to users via the official website.
"This is a sophisticated attack that leverages the trust users place in legitimate software updates," said a Kaspersky researcher. "The malware is executed at boot time, making it particularly hard to detect." Thousands of machines across more than 100 countries have been targeted, though only about 12 have received a second-stage payload.
Infected Versions and Payload Details
Affected versions include Daemon Tools 12.5.0.2421 through 12.5.0.2434. The infection appears to be limited to Windows systems. The initial payload collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales, sending them to an attacker-controlled server.
Kaspersky noted that the second-stage payload, deployed to a select group of retail, scientific, government, and manufacturing organizations, suggests a targeted espionage campaign. Neither Kaspersky nor developer AVB could be reached for additional comments.
Background
Daemon Tools is widely used for mounting disk images, with millions of downloads. Supply chain attacks, where attackers compromise the software distribution pipeline, are increasingly common. Past incidents include the SolarWinds and Kaseya attacks.
This attack is notable for its use of a stolen or compromised certificate, making the malicious files appear legitimate. Users who downloaded Daemon Tools after April 8 are at risk.
What This Means
Users should immediately check their Daemon Tools version and update to the latest secure build if available. Organizations should verify the integrity of their software downloads and consider using endpoint detection tools to scan for the specific payload indicators.
The attack underscores the need for software vendors to implement stronger code-signing protections and for users to exercise caution even with signed updates. As supply chain attacks grow more sophisticated, proactive monitoring and incident response plans are essential.
Related Articles
- Deep Dive: Why a recent supply-chain attack singled out security firms Checkm...
- Navigating the AI Era: Insights from ThoughtWorks' 34th Technology Radar
- 10 Key Insights from Thoughtworks' 34th Technology Radar
- 5 Key Revelations from Samsung's Galaxy Glasses One UI Support Leak
- How to Automate ServiceNow Configuration with Platform Copilot: A Step-by-Step Guide
- Kubernetes v1.36 Haru: Spring Release Brings 70 Enhancements, Clear Skies for Cloud Native
- How to Launch a US-Regulated Stablecoin Using Anchorage Digital and M0's Modular Issuance Stack
- Wine 11.8 Debuts with Critical VBScript Fix and Long-Awaited Microsoft Golf 1999 Support