Daemon Tools, a popular disk image mounting app, was compromised in a supply-chain attack starting April 8, delivering malware through official updates. Security firm Kaspersky reported infections on thousands of machines across over 100 countries. Users are urged to scan their systems immediately.
Kaspersky disclosed on May 5 that the attack on Daemon Tools began on April 8 and continued for about a month. Malicious installers, signed with the developer's official digital certificate, were distributed from the AVB developer's website. Affected Windows versions range from 12.5.0.2421 to 12.5.0.2434, with the malware activating at boot to collect data like MAC addresses, hostnames, and installed software before sending it to attacker-controlled servers. Thousands of machines were hit, primarily in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, Kaspersky said based on its telemetry. About 10% belonged to businesses and organizations, including retail, scientific, government, and manufacturing sectors. Only around 12 systems received advanced backdoors, such as a minimalistic one enabling command execution and file downloads, or the more sophisticated QUIC RAT spotted on one Russian educational machine. “Based on our long-term experience of analyzing supply chain attacks, we can conclude that attackers orchestrated the DAEMON Tools compromise in a highly sophisticated manner,” Kaspersky researchers wrote. They noted similarities to past incidents like the 2023 3CX attack, which also took about a month to detect. Kaspersky advised users to scan machines with antivirus software and check for indicators of compromise listed in its report, especially suspicious code injections into processes like notepad.exe from directories such as Temp or AppData. Neither Kaspersky nor developer AVB provided further immediate details.
