Daemon Tools Supply‑Chain Attack Compromises Versions 12.5.0.2421‑2434

*TL;DR: Daemon Tools versions 12.5.0.2421‑2434 were backdoored in a month‑long supply‑chain attack, compromising thousands of Windows machines across more than 100 nations.*

Context Daemon Tools, a popular disk‑image mounting utility, delivers updates through digitally signed installers from its official website. Between April 8 and early May, attackers hijacked this update channel, inserting a boot‑time backdoor into the specified versions. The malicious code runs on Windows, collects system identifiers and configuration data, and reports them to a remote server.

Key Facts - The compromised range spans versions 12.5.0.2421 through 12.5.0.2434. - Infected installers are signed with the developer’s legitimate certificate, making detection by conventional anti‑virus tools difficult. - Kaspersky researchers label the operation a “highly sophisticated supply‑chain attack” and note a detection window of roughly one month, comparable to the 2023 3CX breach. - Data exfiltrated includes MAC addresses, hostnames, DNS domains, running processes, installed software, and system locale. - Over 1,000 machines in more than 100 countries received the initial payload; about a dozen systems in retail, scientific, government, and manufacturing sectors later received a second‑stage payload, indicating selective targeting. - The incident follows a pattern of supply‑chain compromises such as CCleaner (2017), SolarWinds (2020), and 3CX (2023), where trusted update mechanisms become infection vectors.

What It Means Organizations that deployed Daemon Tools during the affected window should assume compromise until proven otherwise. The backdoor’s ability to harvest detailed system information creates a foothold for further intrusion, especially against high‑value targets that later received the follow‑on payload. Because the malicious code is signed, traditional signature‑based defenses may miss it, emphasizing the need for behavior‑based monitoring.

Mitigations 1. Remove affected versions – Uninstall Daemon Tools versions 12.5.0.2421‑2434 and reinstall the latest clean release from a trusted source. 2. Verify signatures – Use tools that validate the publisher’s certificate chain and check for revocation status. 3. Monitor for Indicators of Compromise (IOCs) – Look for outbound connections to unknown servers, repeated queries for MAC addresses, and unexpected processes launching at boot. 4. Apply network segmentation – Limit Daemon Tools’ network access to only required internal resources. 5. Update detection rules – Deploy MITRE ATT&CK technique T1027 (obfuscated files or information) and T1059 (command‑line interface) signatures that match the observed payload behavior. 6. Conduct a forensic review – Examine logs from April 8 onward for anomalous activity on any machine that had Daemon Tools installed.

What to Watch Next Security teams should track any new updates from the developer for additional signatures and watch for reports of secondary payloads targeting specific industry sectors.