Hackers compromise Daemon Tools in global supply-chain attack, researchers say

Hackers have compromised installers of widely-used disk imaging software in a supply chain attack that has affected users in more than 100 countries, according to a new report.

Researchers at Kaspersky said attackers tampered with installers for Daemon Tools — a popular program used to mount disk images as virtual drives — and distributed them through the software’s official website.

The malicious versions, first observed in early April, affected multiple releases of the software installed on thousands of machines across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany and China.

The operation appears to be targeted, Kaspersky said. Most victims received only a basic information collector designed to gather system data, while a second more advanced payload was deployed to just a handful of targets, including organizations in government, science, manufacturing and retail sectors in Russia, Belarus and Thailand.

Researchers said the attackers likely used the initial data collection to profile infected systems before selectively deploying more sophisticated malware.

Among the tools identified was a lightweight backdoor used to deliver a more complex implant dubbed Quic RAT. That malware was deployed against only one known target, an unidentified educational institution in Russia.

The compromised installers affected versions 12.5.0.2421 through 12.5.0.2434 of Daemon Tools, embedding backdoors into core software components that execute automatically at system startup.

The campaign began around April 8 and remains active, with thousands of attempted infections recorded since then, according to Kaspersky.

Latvian developer Disc Soft, which produces Daemon Tools, said it is aware of the findings and is investigating.

Kaspersky said the malicious code included Chinese-language elements, suggesting the attackers are Chinese-speaking, but stopped short of attributing the campaign to a specific group.