Daemon Tools Update Servers Hijacked in Month-Long Supply‑Chain Attack

Context Daemon Tools, a popular disk‑image mounting utility, distributes updates signed with its own digital certificate. Attackers compromised the developer’s update infrastructure, allowing malicious binaries to appear as legitimate releases. The breach remained active for at least a month, according to Kaspersky’s analysis.

Key Facts - The supply‑chain compromise affected Daemon Tools versions 12.5.0.2421 through 12.5.0.2434, all Windows‑only builds. - Infected installers executed a boot‑time payload that harvested MAC addresses, hostnames, DNS domains, running processes, installed software, and system locale settings, then exfiltrated the data to attacker‑controlled servers. - Over 1,000 machines across more than 100 nations reported the initial infection. Approximately 12 systems belonging to retail, scientific, government, and manufacturing entities received a follow‑on payload, indicating selective targeting. - Kaspersky described the operation as “highly sophisticated,” noting the month‑long dwell time mirrors previous supply‑chain incidents such as the 2023 3CX compromise. - No public statements were available from the developer (AVB) or Kaspersky at the time of reporting.

What It Means Supply‑chain attacks bypass traditional defenses because users install signed updates from trusted sources. The Daemon Tools case reinforces the difficulty of detecting malicious code that is indistinguishable from legitimate software until behavioral anomalies surface. Organizations that rely on Daemon Tools must assume that any Windows host running the affected versions may have been compromised, and that attackers can later deliver additional payloads to high‑value targets.

Mitigations - Immediately uninstall Daemon Tools versions 12.5.0.2421‑2434 and replace them with a clean build from a verified source. - Apply the latest patches from the vendor; if none are available, consider alternative mounting tools. - Deploy endpoint detection rules for MITRE ATT&CK technique T1082 (System Information Discovery) and T1041 (Exfiltration Over Command and Control Channel) to spot the initial data‑stealing payload. - Review network logs for outbound connections to unknown domains that match the exfiltration pattern observed by Kaspersky. - Conduct a forensic scan on any system that installed the compromised versions after April 8, looking for the secondary payload indicators reported in retail, scientific, government, and manufacturing environments. - Harden update pipelines: enforce code‑signing verification, enable multi‑factor authentication for build servers, and monitor for unauthorized certificate use.

Looking Ahead Watch for threat‑intel updates on the command‑and‑control infrastructure used in this campaign and for any new variants targeting other software distribution channels.