Daemon Tools Software Compromised in Monthlong Supply-Chain Attack

Security researchers have discovered that Daemon Tools, a widely used Windows application for mounting virtual disk images, was compromised in a sophisticated supply-chain attack that began on April 8. For nearly a month, malicious installers distributed directly from the developer’s official website contained a backdoor, allowing attackers to gain remote control over infected systems. The attack was identified and reported in early May by researchers at the cybersecurity firm Kaspersky. According to their analysis, installers for Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 were trojanized. Crucially, these malicious files were signed with a valid digital certificate belonging to the software’s developer, AVB Disc Soft, allowing them to bypass many standard security checks and appear legitimate to users and antivirus software. This incident is a stark reminder that even diligent security practices, like downloading software directly from the official vendor, are not foolproof. Supply-chain attacks exploit the inherent trust between users and developers, turning a routine software update into a significant security breach. The malicious code tampered with three core application files: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Once installed, the malware establishes persistence on the host machine, activating a backdoor every time the system starts up. Because disk emulation software like Daemon Tools often requires elevated administrative privileges to function, the malware is able to gain a deep and powerful foothold within the operating system. Kaspersky’s Global Research and Analysis Team (GReAT) reported that the attackers set up a command-and-control server using a typosquatted domain, env-check.daemontools[.]cc, which was registered just a week before the attack commenced. This server was used to issue commands to infected machines and exfiltrate collected data. Researchers noted that while the malware was deployed broadly to both home and corporate users, the follow-up stages involving advanced backdoors and remote access trojans (RATs) appeared to be more targeted. “A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” said Georgy Kucherin, a senior security researcher at Kaspersky GReAT, in a statement. The firm drew direct parallels between this incident and the major supply-chain attack that compromised the 3CX softphone application in 2023, which also went undetected for approximately one month. For small and mid-sized businesses, the operational fallout extends far beyond an IT headache. The attackers' focus on espionage suggests a hunt for valuable data—intellectual property, customer lists, or internal financial plans. In our experience, the theft of such information can be more damaging long-term than a disruptive ransomware attack, striking at a company's competitive advantage. While no destructive payloads have been observed, the primary goal of the campaign appears to be espionage and data collection. The malware is capable of gathering extensive system information to profile its victims. Based on this profiling, attackers can choose to deploy more sophisticated tools to high-value targets. Kaspersky’s analysis also uncovered artifacts within the malicious code suggesting the involvement of Chinese-speaking threat actors. The use of a valid digital signature is a key element of the attack’s sophistication. This technique, classified under the MITRE ATT&CK framework as “Subvert Trust Controls: Code Signing,” is highly effective at evading detection. The malware also leverages other techniques, including boot-start execution for persistence and system discovery to identify valuable targets. Kaspersky has notified AVB Disc Soft of the compromise and is actively working to block the malicious installers. However, at the time of the public disclosure, the researchers stated the attack was still active. They strongly advise organizations and individuals who downloaded or updated Daemon Tools on or after April 8 to immediately conduct a thorough examination of their systems for any signs of compromise or abnormal activity. This highlights the need for a comprehensive approach that includes not just technical defenses but also robust incident response planning. Proactive financial risk management is crucial for mitigating the impact of these sophisticated threats. Businesses need to evaluate their exposure before an attack occurs. To assess your company's vulnerability and develop a resilience strategy, contact C&S Finance Group LLC at csfinancegroup.com. Moving forward, AVB Disc Soft is expected to release clean versions of its software and provide guidance to its users on remediation. The broader cybersecurity community will continue to analyze the malware and the attackers’ infrastructure to determine the full scope of the breach and identify all affected parties. The incident serves as another critical case study in the growing threat of supply-chain attacks targeting trusted software vendors.