Daemon Tools Backdoored in Month-Long Supply Chain Attack: A Detailed Analysis

Overview of the Attack

In a significant supply chain compromise that spanned over a month, the popular disk imaging utility Daemon Tools was weaponized to deliver malware to unsuspecting users. Security researchers at Kaspersky uncovered the attack, which began on April 8 and remained active as of their report. The threat was particularly insidious because it leveraged the developer's own official digital certificates to sign malicious installers, making them appear legitimate. This attack highlights a growing trend where cybercriminals target software update mechanisms to distribute backdoors to a wide audience.

Timeline and Scope

According to Kaspersky's findings, the supply chain attack ran for at least four weeks. During this period, any user who downloaded Daemon Tools from the official website received an installer that was tampered with. The malicious versions were signed with the developer's genuine certificate, so antivirus tools and security checks would not flag them. The infected builds ranged from version 12.5.0.2421 to 12.5.0.2434. While the attack primarily affected Windows systems, the exact number of impacted platforms beyond Windows was not disclosed. Thousands of computers across more than 100 countries were infected, but the most concerning aspect was the follow-up targeting of just 12 machines belonging to high-value organizations in retail, scientific, government, and manufacturing sectors.

How the Backdoor Works

Initial Payload and Data Harvesting

Once installed, the compromised Daemon Tools executable triggers a first-stage payload at system boot. This initial malware collects a wide range of system information, including MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. The gathered data is then sent to an attacker-controlled command-and-control (C2) server. This reconnaissance phase allows the attackers to profile each compromised machine and decide whether to escalate the attack.

Targeted Follow-Up Payload

Out of the thousands of infected systems, only about 12 machines received a second-stage payload. This selective delivery indicates a carefully orchestrated campaign aimed at specific targets. The follow-up malware likely provides remote access, data exfiltration, or persistent control. The organizations targeted—retail, scientific, government, and manufacturing—suggest the attackers were looking for intellectual property, financial data, or strategic intelligence. Kaspersky did not detail the exact capabilities of the second-stage payload, but the pattern points to a highly targeted supply chain attack rather than a broad, opportunistic one.

Affected Versions

Daemon Tools users should immediately check their version numbers. The compromised versions are:

• 12.5.0.2421
• 12.5.0.2422 through 12.5.0.2434 (all intermediate builds are affected)

If you are running any of these versions, your system may be infected. It is strongly advised to remove the software and scan your machine with up-to-date security tools. For a complete list, see the defense recommendations below.

Recommendations for Users

To mitigate the risk from this supply chain attack, follow these steps:

1. Identify your version: Open Daemon Tools, go to Help > About and note the version number. Compare with the list of affected versions above.
2. Uninstall the software: If you are using an affected version, uninstall Daemon Tools immediately via Control Panel or Settings.
3. Run a full system scan: Use a reputable antivirus or antimalware tool (like Kaspersky, Malwarebytes, or Microsoft Defender) to check for remnants of the malware.
4. Monitor network traffic: Look for unexpected outbound connections to unknown servers, which may indicate the C2 communication.
5. Update to a patched version: Check the official Daemon Tools website for a clean release after the attack window. Only download software directly from the developer, and verify digital signatures when possible.
6. Be cautious of signed installers: A valid digital signature does not guarantee safety, as this attack demonstrates. Practice defense-in-depth.

Conclusion

The Daemon Tools supply chain attack is a stark reminder that even widely trusted software can become a vector for malware. By compromising the update pipeline, attackers gained access to thousands of systems with minimal effort. The combination of official digital signatures and a month-long presence makes this attack particularly dangerous and difficult to detect. Users of Daemon Tools must remain vigilant, verify software sources, and apply security updates promptly. As supply chain attacks become more common, the security community emphasizes that trust must be combined with verification. For ongoing coverage of this threat, check back with major security blogs and vendor advisories.