Daemon Tools Supply-Chain Attack: Questions and Answers

Daemon Tools, a popular utility for mounting disk images, was compromised in a prolonged supply-chain attack that began in early April and continued for over a month. Security firm Kaspersky uncovered the breach, revealing that malicious updates were pushed through the developer's own servers, signed with official digital certificates. This Q&A covers key details about the attack, its impact, and why such incidents are difficult to defend against.

What is the Daemon Tools supply-chain attack?

In this attack, the legitimate update mechanism of Daemon Tools was hijacked. Cybercriminals infiltrated the developer's servers and replaced authentic installers with trojanized versions. These malicious installers were signed with the developer's official digital certificate, making them appear trustworthy. When users downloaded and ran the infected installers, they executed malware that persisted across system boots. Unlike typical malware that spreads through phishing or exploits, this attack abused the trust users place in official software updates, a hallmark of supply-chain compromises.

Who discovered the attack and how long did it last?

The attack was disclosed by Kaspersky on May 30, 2023. According to their analysis, the compromise began on April 8 and remained active until at least the time of publication, meaning it lasted over seven weeks. The malicious updates were pushed continuously during this period, affecting users who downloaded or updated Daemon Tools from the official website. Kaspersky researchers noted the stealthy nature of the campaign, as the malware was embedded within signed executables, bypassing typical security checks.

Which versions of Daemon Tools were affected?

Only Windows versions of Daemon Tools were impacted. The vulnerable versions range from 12.5.0.2421 through 12.5.0.2434. Users who installed or updated to any version within that sequence may have received the backdoored installer. It is important to note that only the Windows platform was targeted; versions for other operating systems were not mentioned. Kaspersky recommended checking the version number and, if affected, removing the software and scanning for indicators of compromise.

What data does the malware steal and how does it work?

The initial payload delivered by the infected installer collects system information such as MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This data is encrypted and sent to an attacker-controlled server. The malware is configured to run automatically at boot time by modifying system registry entries or startup folders. Upon receiving the harvested information, the attackers can decide whether to deploy additional payloads. In this attack, a second-stage payload was delivered to a very small subset of victims—only about 12 machines—suggesting a highly targeted approach for further exploitation.

How many machines were infected and which organizations were targeted?

Kaspersky detected infections on thousands of machines spread across more than 100 countries. However, the follow-on payload, which indicates a deeper compromise, was observed on only about 12 machines. These select victims belonged to organizations in the retail, scientific, government, and manufacturing sectors. This pattern suggests the attackers were conducting reconnaissance first, then choosing high-value targets for additional malware deployment. The broad initial infection may have been a smokescreen or a way to identify the most interesting hosts.

Why are supply-chain attacks like this difficult to defend against?

Supply-chain attacks exploit the trust relationship between software vendors and their users. Because the malicious installer is signed with a legitimate certificate, antimalware solutions and security tools often treat it as safe. Traditional defenses focus on blocking known malicious files or suspicious behaviors, but here the payload originates from an official source. Additionally, the attack may go unnoticed for weeks, as seen with the monthlong period before Kaspersky's disclosure. Organizations can reduce risk by implementing software update verification, behavioral monitoring, and strict application whitelisting, but complete prevention remains challenging.