Supply-Chain Attack on Daemon Tools: A Month-Long Compromise Exposed
In a sophisticated supply-chain attack discovered by Kaspersky researchers, the popular disk imaging tool Daemon Tools was backdoored for over a month. The compromise began on April 8 and remained active until the disclosure, pushing malicious updates signed with the developer's official certificate to users. The affected versions (12.5.0.2421 through 12.5.0.2434) on Windows systems downloaded malware that collected system data and, in some cases, delivered a second-stage payload to select high-value targets. Below, we explore the key details of this attack in a Q&A format.
1. What is Daemon Tools and why was it targeted in this attack?
Daemon Tools is a widely used utility for mounting disk images (ISO, IMG, etc.) on Windows. Its popularity makes it an ideal vector for a supply-chain attack: by compromising the software's official update mechanism, attackers can silently infect thousands of machines that trust the developer's signature. In this case, the attackers gained access to AVB's (the developer's) distribution servers or signing infrastructure, allowing them to replace legitimate installers with backdoored versions that executed malicious code during installation. This approach bypasses traditional security checks because the files appear genuine.
2. How exactly did the supply-chain attack work?
The attack started on April 8 when malicious updates were pushed from AVB's official servers. Users who downloaded or updated Daemon Tools from the developer's website received an installer signed with the authentic digital certificate. This installer then infected the Daemon Tools executable on the system, ensuring the malware would run at every boot. The malware did not immediately cause harm; instead, it first collected system information and sent it to an attacker-controlled server. This allowed the attackers to identify and later target specific organizations with a follow-on payload. The compromise remained active for more than a month before Kaspersky disclosed it.
3. Which versions of Daemon Tools were affected by the backdoor?
Only Windows versions of Daemon Tools were compromised, specifically versions 12.5.0.2421 through 12.5.0.2434. Users running these versions during the attack window (from April 8 until the disclosure) were potentially infected. The attackers did not target macOS or Linux releases. If you are unsure which version you have, you can check the version number in the application's About dialog. To be safe, users should update to the latest version released after the compromise was patched. The developer, AVB, likely released a clean update after being notified by Kaspersky.
4. What kind of data did the malware steal from infected machines?
The initial payload collected a wide range of system information to profile each infected machine. This included MAC addresses (unique hardware identifiers), hostnames, DNS domain names, a list of running processes, installed software, and system locales (language/region settings). All of this data was encrypted and sent to the attacker's server. The purpose was to identify valuable targets—likely organizations with high-security value—for follow-up exploitation. The malware did not immediately encrypt files or demand ransom; it acted as a reconnaissance tool.
5. How many users were affected and who were the ultimate targets?
Thousands of machines across more than 100 countries were infected by the initial payload. However, only a small subset—approximately 12 machines belonging to sectors like retail, scientific research, government, and manufacturing—received the second-stage payload. This indicates a highly targeted operation: the attackers used the data from the first stage to hand-pick victims that met specific criteria. The small number of follow-on infections suggests the goal was not mass disruption but rather espionage or theft of sensitive data from specific organizations. Most infected users likely went unnoticed, as the first-stage malware did not exhibit obvious malicious behavior.
6. What was the purpose of the follow-on payload delivered to select machines?
Kaspersky reported that about 12 machines received a second-stage payload after the initial reconnaissance. Although the researchers did not provide full details, such follow-on payloads typically contain more dangerous capabilities: remote access trojans (RATs), keyloggers, data exfiltration tools, or lateral movement utilities. Given the targeted sectors (government, manufacturing, etc.), the attackers were likely gathering intellectual property, credentials, or operational secrets. The supply-chain attack allowed them to bypass perimeter defenses and directly implant a persistent backdoor inside trusted software. This highlights why supply-chain attacks are so dangerous—they can remain undetected for long periods.
7. How can users and organizations defend against supply-chain attacks like this one?
Defending against supply-chain attacks requires a multi-layered approach. First, always keep software up-to-date, but verify that updates come from official sources. Use endpoint detection and response (EDR) tools that can flag anomalous behavior even from signed executables. Implement application whitelisting to block unsigned or unauthorized software. For organizations, segment networks so that even if one machine is compromised, lateral movement is limited. Regularly audit software supply chains and enforce code signing with hardware security modules. Finally, monitor for unusual outbound traffic—the initial Daemon Tools malware contacted an attacker server, which could be detected by network analysis. While no defense is perfect, these measures reduce the risk of falling victim to similar compromises.