Supply Chain Attack Targets DAEMON Tools
A sophisticated supply chain attack has compromised the installers of DAEMON Tools, a popular disk imaging software, to distribute malware to users worldwide. According to cybersecurity firm Kaspersky, this breach highlights the critical vulnerabilities present in software distribution channels and underscores the need for improved security measures in protecting digital supply chains.
Malicious Payload in Official Installers
The compromised installers, which have been available since April 8, 2026, were distributed directly from DAEMON Tools' legitimate website. These installers were digitally signed with certificates belonging to DAEMON Tools' developers, adding a layer of trust that allowed the malware to evade detection for nearly a month. Versions from 12.5.0.2421 to 12.5.0.2434 of the Windows-specific software were identified as carrying the malicious payload.
Kaspersky's investigation revealed that the attack involved tampering with three different components of the software. Each time an affected binary is executed, typically during system startup, an implant is triggered. This implant sends an HTTP GET request to a domain registered shortly before the attack commenced, to receive commands that are then executed on the compromised system.
Global Impact and Infection Attempts
The scale of the attack is extensive, with Kaspersky's telemetry data recording several thousand infection attempts in over 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, only a select few systems received the secondary malware payload, indicating a possible strategy to target specific sectors.
Notably, the targeted systems belong to organizations in industries such as retail, scientific research, government, and manufacturing, particularly in Russia, Belarus, and Thailand. Among the payloads delivered was a remote access trojan known as QUIC RAT, which was used against an educational institution in Russia.
Advanced Malware Capabilities
The malware involved in this attack is equipped with advanced command-and-control protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It possesses capabilities to inject malicious payloads into legitimate processes like 'notepad.exe' and 'conhost.exe', further evading detection by security software.
While the identity of the threat actor remains unknown, evidence suggests that a Chinese-speaking group may be responsible, based on analysis of the digital artifacts left behind. This attack adds to a growing list of high-profile supply chain breaches in 2026, following incidents involving other well-known software like eScan, Notepad++, and CPUID.
Industry Response and Mitigation Efforts
In response to the breach, AVB Disc Soft, the Latvian developer behind DAEMON Tools, stated they are aware of the issue and are conducting a thorough investigation. The company has prioritized the matter and is actively working to assess and mitigate any potential risks to their users.
Kaspersky's experts emphasize the importance of isolating machines that have the compromised software installed and conducting comprehensive security audits to prevent further malware spread within corporate networks. The attack highlights the challenges of defending against threats that exploit trusted software, especially when digital signatures lend a false sense of security.
Looking Forward: Strengthening Software Supply Chains
The DAEMON Tools incident serves as a stark reminder of the vulnerabilities inherent in software supply chains and the need for robust security measures. As cyber threats continue to evolve, organizations must adopt proactive strategies to protect against similar attacks, including enhancing threat detection systems and strengthening the integrity of their software distribution processes.
As the investigation continues, stakeholders in the cybersecurity industry will be closely monitoring developments to understand the full implications of this breach and to devise strategies to bolster defenses against future supply chain attacks.