Steadvar — News without the noise

Privacy · Terms · About

© 2026 Steadvar. All rights reserved.

Daemon Tools Software Compromised by Monthlong Supply-Chain Attack

TechnologyCrime5/5/2026
Share

Similar Articles

Open Source CLI Package Compromised, Malicious Version Removed

TechnologyCrime4/27/2026

Ubuntu and Canonical Infrastructure Targeted by Sustained DDoS Attack

TechnologyWorld5/1/2026

Security Firms Checkmarx and Bitwarden Affected by Supply Chain Attack

TechnologyBusiness4/29/2026

Linux Vulnerability Dirty Frag Exploit Leaked, Hackers Testing in Wild

TechnologyCrime1d ago

Linux Kernel Vulnerability Patched, Public Exploit Code Released

Technology4/30/2026

Daemon Tools, a widely used disk imaging application, was compromised for over a month by a backdoor inserted into its official updates. The malicious installers, signed with the developer's own certificate, infected thousands of machines globally and collected sensitive system data. The attack was still active as of Tuesday, according to security firm Kaspersky.

Facts First

  • A monthlong supply-chain attack compromised official Daemon Tools installers downloaded from its website.
  • Malicious updates signed with the developer's certificate infected versions 12.5.0.2421 through 12.5.0.2434.
  • The malware collects system data including MAC addresses, hostnames, and installed software, sending it to an attacker-controlled server.
  • Thousands of machines in over 100 countries were infected, with a follow-on payload delivered to about 12 specific organizations.
  • The attack began on April 8 and was still active at the time of Kaspersky's report.

What Happened

A supply-chain attack compromised the official installers for Daemon Tools, an application used for mounting disk images. The attack began on April 8 and involved malicious updates pushed from the developer's servers. The infected installers, signed with the developer's official digital certificate and downloaded from the official website, infect Daemon Tools executables. The malware runs at boot time. Affected versions include 12.5.0.2421 through 12.5.0.2434, and technical details suggest the infection appears to be limited to those running on Windows.

Why this Matters to You

If you have installed or updated Daemon Tools in the past month, your computer may have been infected with malware that collects sensitive system information. This could include details like your computer's name, network address, and a list of all software you have installed. The malware sends this data to an attacker-controlled server. For the vast majority of users, the infection was limited to this data collection. However, a small number of infected machines... received an additional, more targeted payload.

What's Next

Users of Daemon Tools should verify their software version and may need to take steps to remove the infection. Security researchers are likely to publish more detailed indicators of compromise and removal guidance. The developer, AVB, may issue a statement or a clean update, though neither they nor Kaspersky could be contacted immediately for additional details. This incident highlights the risks of software supply-chain attacks, which could prompt increased scrutiny of update mechanisms for other applications.

Perspectives

“
Security Analysts suggest that the targeted delivery of follow-on payloads indicates the supply-chain attack is specifically aimed at select organizations.
“
Defensive Experts note that the framing of the attack as 'Hard to defend against' highlights the significant challenges in protecting against such vulnerabilities.