Daemon Tools Supply-Chain Attack: Key Questions Answered

In a sophisticated supply-chain attack that lasted over a month, the popular disk-mounting utility Daemon Tools was secretly backdoored by threat actors. Researchers from Kaspersky uncovered the compromise, which involved signed malicious updates pushed from the developer's own servers. The attack targeted Windows users, infecting thousands of machines across more than 100 countries, with a small number of high-value victims receiving additional malicious payloads. Below, we answer the most pressing questions about this security incident.

What exactly happened to Daemon Tools?

Daemon Tools, a widely used application for mounting disk images, was compromised in a supply-chain attack that began on April 8 and remained active until the time of disclosure. The attackers injected malware into the official installers hosted on the developer's website. These installers bore the developer's valid digital signature, making them appear legitimate. When users downloaded and ran the installer, the malware would execute at system boot, giving the attackers persistent access to the infected machine.

How long did the attack last and how many versions were affected?

The attack spanned approximately one month. According to Kaspersky, the backdoored versions included Daemon Tools versions 12.5.0.2421 through 12.5.0.2434. This means any user who installed or updated the software within that range during the compromise window could have been affected. The malware was present in the official downloads, making it a classic supply-chain scenario.

How were the attackers able to compromise the software?

The attackers gained access to the developer's infrastructure and replaced the legitimate installers with trojanized versions. Because the modified installers were signed with the developer's official digital certificate, they bypassed many standard security checks. The malware was then executed with the same privileges as the legitimate software. This type of attack is particularly insidious because users trust signed software and security tools often treat signed files as safe.

What kind of data did the malware collect?

The initial payload on the infected machines was designed to harvest system information. It collected MAC addresses, hostnames, DNS domain names, a list of running processes, installed software, and system locales. This reconnaissance data was sent to an attacker-controlled command-and-control server. The attackers used this information to decide which victims warranted further exploitation.

How many machines were affected and in which countries?

Kaspersky reported that thousands of machines in more than 100 countries were infected by the backdoored Daemon Tools installer. The global scope underscores the reach of the supply-chain attack. However, not all infected machines received the same treatment; the attackers selectively deployed a second-stage payload to only about 12 of the infected systems.

What were the follow-up attacks and who was targeted?

After the initial reconnaissance, the attackers delivered a second stage payload to approximately 12 machines belonging to organizations in the retail, scientific, government, and manufacturing sectors. This indicates a highly targeted approach, suggesting the attackers were after specific intellectual property or sensitive data. The small number of victims receiving the second payload implies a careful selection process based on the harvested information.

Why is this supply-chain attack hard to defend against?

Supply-chain attacks like this one are difficult to detect because the malicious code is signed by a trusted developer. Traditional antivirus and endpoint protection may not flag signed executables. Moreover, the malware runs at boot time, embedding itself deeply in the system. Users have no easy way to distinguish the infected installer from the genuine one. The only mitigation is for organizations to monitor for unusual network traffic and to validate the integrity of downloaded software through multiple channels.