Daemon Tools, the popular Windows disk image mounting application, was backdoored in a supply-chain attack that ran for approximately one month starting April 8. Malicious installers signed with the developer's official certificate were distributed from the official website, affecting versions 12.5.0.2421 through 12.5.0.2434. The initial payload collects system information (MAC addresses, hostnames, DNS names, running processes, installed software) and sends it to an attacker-controlled server, with thousands of machines across 100+ countries infected. About 12 machines belonging to retail, scientific, government, and manufacturing organizations received a secondary payload, suggesting targeted follow-on attacks. Kaspersky compares the sophistication to the 2023 3CX supply-chain attack and urges organizations to inspect any machine with Daemon Tools installed for suspicious activity since April 8.
Sort: