Skip to content
Tech News
← Back to articles

Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack

2026-05-05 | original
read original get Daemon Tools Ultra → more articles
Why This Matters

The recent supply-chain attack on Daemon Tools highlights the increasing sophistication and danger of malware infiltrations through trusted software updates. This incident underscores the importance for both developers and consumers to remain vigilant, as even digitally signed updates can be compromised, posing significant security risks across industries and personal devices.

Key Takeaways

Daemon Tools, a widely used app for mounting disk images, has been backdoored in a monthlong compromise that has pushed malicious updates from the servers of its developer, researchers said Tuesday.

Kaspersky, the security firm reporting the supply-chain attack, said it began on April 8 and remained active as of the time its post went live. Installers that are signed by the developer’s official digital certificate and downloaded from its website infect Daemon Tools executables, causing the malware to run at boot time. Kaspersky didn’t explicitly say so, but based on technical details, the infected versions appear to be only those that run on Windows. Versions 12.5.0.2421 through 12.5.0.2434 are affected. Neither Kaspersky nor developer AVB could be contacted immediately for additional details.

Hard to defend against

Infected versions contain an initial payload that collects MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. The malware sends them to an attacker-controlled server. Thousands of machines in more than 100 countries were targeted. Out of the many machines infected, about 12 of them, belonging to retail, scientific, government and manufacturing organizations, have received a follow-on payload—and indication the supply-chain attack targets select groups.

The incident is only the latest supply-chain attack. Other such attacks include the poisoning of the CCleaner Windows utility in 2017, the Solar Winds app management software for enterprises in 2020, and 3CX VoIP client in 2023. Such attacks are hard to defend against because users are infected when they do nothing more than install digitally signed updates available through official channels. In all three cases it took weeks or months before the compromised update distribution channels were discovered.

“Based on our long-term experience of analyzing supply chain attacks, we can conclude that attackers orchestrated the DAEMON Tools compromise in a highly sophisticated manner,” Kaspersky researchers wrote. “For example, the time it took to detect this attack, which turned out to be about one month, is comparable to the 3CX supply chain attack which we researched together with the cybersecurity community in 2023. Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had DAEMON Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8.”

Explore topics: daemon tools supply-chain attack kaspersky windows backdoor
Related:
Xbox is ditching Microsoft's Copilot AI
These 5 critical Windows Defender settings are off by default - turn them on ASAP
DAEMON Tools trojanized in supply-chain attack to deploy backdoor
Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack
Trojan abuses Microsoft Phone Link app to steal your passwords

© 2026 GoKawiil

About | Editorial Policy | Contact