Daemon Tools backdoored for a month via signed installers from official site

Kaspersky disclosed a supply-chain compromise of Daemon Tools, the disk-image mounting utility, that has been pushing trojanized installers from the developer’s own infrastructure since April 8. Windows builds 12.5.0.2421 through 12.5.0.2434, signed with AVB’s legitimate code-signing certificate, drop a loader that executes at boot and exfiltrates MAC addresses, hostnames, DNS domains, running processes, installed software, and system locales to an attacker-controlled server.

The campaign reached thousands of machines across more than 100 countries, but only about a dozen — at retail, scientific, government, and manufacturing organizations — received a second-stage payload. The narrow follow-on suggests broad reconnaissance feeding selective exploitation, consistent with state-aligned tradecraft rather than commodity crime.

Kaspersky draws a direct comparison to the 3CX intrusion of 2023, noting a similar month-long dwell time before detection. Signed updates from official channels neutralize the usual user-facing defenses, so any organization with the affected versions installed should treat April 8 onward as a window for forensic review of outbound C2 traffic and process anomalies, not just patch and move on.