A widely used disk mounting program, Daemon Tools, has been compromised in a months-long supply chain attack. Hackers managed to inject malicious updates into the official software, affecting thousands of users across the globe. Security researchers warn users to check their systems for signs of infection immediately.

How the Attack Unfolded

The attack started on April 8 and remained active for nearly a month. Attackers gained access to the software’s servers and pushed malicious updates that appeared legitimate because they were signed with the developer’s official digital certificate. When users downloaded these updates from the official website, the malware was installed silently on their machines.

The infected versions primarily targeted Windows users, specifically versions 12.5.0.2421 through 12.5.0.2434. Once installed, the malware would run at startup, making it difficult to detect. The malicious code collected system information such as MAC addresses, hostnames, DNS domains, running processes, installed software, and system locales. This data was then sent to attacker-controlled servers in various countries.

Scope and Impact of the Breach

More than 100 countries saw infections, with thousands of machines affected. Among these, about a dozen belonged to organizations in retail, scientific research, government, and manufacturing sectors. These organizations received a secondary payload, indicating targeted efforts against specific groups.

One of the more advanced payloads was a backdoor capable of executing commands, downloading files, and running code directly in memory—making detection much harder. Researchers identified a more complex backdoor, called QUIC RAT, on a machine at a Russian educational institution. This backdoor could inject payloads into system processes and communicate using multiple protocols including HTTP, UDP, TCP, and QUIC.

The affected organizations were mainly located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The attack was sophisticated, with attackers carefully choosing which machines to infect with the more complex backdoor. The motive remains unclear—whether it’s cyberespionage or data theft—though the targeted approach suggests a planned operation.

Lessons and Recommendations for Users

This incident highlights how supply chain attacks can bypass traditional defenses. Users who have installed the affected versions should run comprehensive scans with reputable antivirus programs. Windows users should also look for signs of compromise, such as unusual activity or unexpected processes.

Security experts recommend monitoring for suspicious code injections into legitimate system processes. It’s also a good idea to stay updated with the latest security patches and avoid downloading updates from unofficial sources. Organizations should scrutinize their machines for abnormal activity, especially after installing updates from trusted vendors.

Supply chain attacks like this are becoming more common and more complex. They target trusted software to gain access to a wide range of systems, often for espionage or data theft. Staying vigilant and maintaining good cybersecurity practices is essential to defend against these threats.

Inspired by

• https://arstechnica.com/security/2026/05/widely-used-daemon-tools-disk-app-backdoored-in-monthlong-supply-chain-attack/

Sources

• securelist.com
• infosec.exchange