Kaspersky says Daemon Tools, a widely used app for mounting disk images, was backdoored on April 8 in a monthlong compromise that has pushed malicious updates
Daemon Tools, a widely used app for mounting disk images, has been backdoored in a monthlong compromise that has pushed malicious updates …
Ars Technica Dan Goodin
Related Coverage
- DAEMON Tools software infected - supply chain attack ongoing since April 8, 2026 Securelist
- Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack TechCrunch · Zack Whittaker
- Government, Scientific Entities Hit Via Daemon Tools Supply Chain Attack SecurityWeek · Ionut Arghire
- Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack Ars OpenForum
- DAEMON TOOLS supply chain attack ongoing since April, thousands affected Neowin · Fiza Ali
- Kasperky warns popular Daemon Tools app backdoored by hackers to target specific victims TechRadar · Sead Fadilpašić
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor BleepingComputer · Bill Toulas
- Hackers compromise Daemon Tools in global supply-chain attack, researchers say The Record · Daryna Antoniuk
- Attackers compromised Daemon Tools software to deliver backdoors Help Net Security · Zeljka Zorz
- The rise of the Silicon Valley player-coach Fortune · Andrew Nusca
Discussion
-
@kucher1n
Georgy Kucherin
on x
The malicious DAEMON Tools installers have been distributed since the release of version 12.5.0.2421. At the time of writing, the latest versions of this software remain infected. All installers are signed with legitimate certificates belonging to the software developers. [2/7] […
-
@kucher1n
Georgy Kucherin
on x
We observed the attackers using this backdoor for deploying further payloads to infected machines. In most cases, we observed attempted deliveries of an implant that conducts system information collection. Curiously, this implant contains strings in Chinese. [4/7] [image]
-
@kucher1n
Georgy Kucherin
on x
Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100+ countries. If you use DAEMON Tools, run a malware scan immediately! [1/7] …
-
@kucher1n
Georgy Kucherin
on x
Furthermore, we observed just one of the organizations to receive a unique RAT that is able to inject payloads and can use a wide range of protocols for C2 server communications - including WSS, QUIC, DNS and HTTP/3. Analysis of this implant is currently ongoing. [6/7]
-
@kucher1n
Georgy Kucherin
on x
However, we also observed hands-on activities for just about a dozen victim organizations - this indicates that this supply chain attack is a targeted one. These victims received a minimalistic backdoor, designed for downloading files and running shellcode payloads. [5/7] [image]
-
@kucher1n
Georgy Kucherin
on x
The DAEMON Tools executables delivered by malicious installers contain a backdoor which runs at the executable initialization stage. This backdoor is responsible for making GET requests to a C2 server to retrieve shell commands and further execute them. [3/7] [image]
-
@kucher1n
Georgy Kucherin
on x
Given that this supply chain attack is highly complex, we urge everyone who uses DAEMON Tools to isolate their machines and initiate a security sweep to ensure protection against malware. You can refer to the IoCs that we published in our blogpost, https://securelist.com/.... [7/…
-
r/netsec
r
on reddit
Popular DAEMON Tools software infected - supply chain attack ongoing since April 8, 2026
-
r/programming
r
on reddit
Popular DAEMON Tools software infected - supply chain attack ongoing since April 8, 2026
-
@aalien
Dee Homak
on x
lol. supply chain attack is the new black.
-
@wiimee
@wiimee
on x
Every single piece of code can put your crypto funds at risk if you are still relying on a software wallet to keep your keys safe in 2026. Get a freaking hardware wallet or a dedicated device for crypto!
-
@oct0xor
Boris Larin
on x
DAEMON Tools was hit in a sophisticated supply chain attack, with backdoored software delivered via the official website
-
@nextronresearch
@nextronresearch
on x
Most of you have probably already seen the reports about the DAEMON Tools supply chain compromise According to Kaspersky, the campaign has been active since April 8 and affected victims in more than 100 countries On our side, we took the published indicators and turned them [imag…
-
@cyb3rops
Florian Roth
on x
Oh, wow - this is big
-
@pirat_nation
@pirat_nation
on x
Kaspersky has uncovered a backdoor embedded in the official Windows installer of Daemon Tools, a widely used disc imaging application. Security researchers believe Chinese-speaking hackers carried out a supply chain attack that began on April 8, compromising thousands of [image]
-
@zackwhittaker.com
Zack Whittaker
on bluesky
More: Kaspersky says the attack is still ongoing, suggesting the suspected Chinese hackers can still plant malware on any computer running a vulnerable version of Daemon Tools. — A rep. for Disc Soft, which makes the Daemon Tools software, told me it was aware of the report and…
-
@zackwhittaker.com
Zack Whittaker
on bluesky
I heard more from Disc-Soft, the maker of Daemon Tools, which was backdoored by suspected Chinese-language hackers and used to compromise thousands of users. Disc-Soft tells me the backdoor was “limited to the free DAEMON Tools Lite” and v12.6 removes the backdoor; investigation…