DAEMON Tools Supply Chain Attack Distributes Malware via Official Installers

A sophisticated supply‑chain compromise has been uncovered in the popular disc‑imaging suite DAEMON Tools, after security researchers at Kaspersky detected a malicious payload embedded in the software’s official installers. The attack altered the installer binaries hosted on the vendor’s website, allowing the malware to be delivered automatically when users executed the legitimate‑looking setup routine.

According to the analysis, the compromised installers ship a dropper that unpacks a modular backdoor onto the victim’s machine. The backdoor contacts a remote command‑and‑control (C2) server, downloading additional payloads and enabling the attacker to execute arbitrary code, exfiltrate data, or further propagate the infection. The malicious code leverages valid digital signatures to evade initial detection, and the dropper runs with the same privileges as the installer, bypassing user‑account control prompts.

Users who downloaded or updated DAEMON Tools between the identified infection window (e.g., March 2024 to May 2024) are at risk. Security teams should audit their environments for the presence of unfamiliar processes such as "dtagent.exe" or "sysupdate.exe", review network traffic for connections to suspicious domains, and isolate affected hosts. Immediate removal of the compromised installer, a full reinstall from the vendor’s verified download page, and a thorough anti‑malware scan are recommended.

The incident highlights the growing appeal of supply‑chain attacks as a vector for mass compromise, especially when attackers target widely‑used utility software. Organizations should enforce strict code‑signing verification, maintain a Software Bill of Materials (SBOM) to track dependencies, and monitor update mechanisms for anomalous behavior. Prompt sharing of threat intelligence and coordinated disclosure between vendors and the security community remain essential to mitigate such risks.