Official installers for a widely used disk imaging software have been found to contain malicious code injected by sophisticated threat actors. The attack utilizes legitimate software distribution channels and valid digital certificates to deliver backdoors to targeted organizations worldwide.
The supply chain attack targets Daemon Tools versions 12.5.0.2421 to 12.5.0.2434, released since April 8, 2026. Attackers compromised three core binaries within the software, all signed with valid certificates, to deploy an information collector. On a small subset of high-value systems at government, scientific, and manufacturing organizations, the attackers deployed a second, minimalistic backdoor to facilitate deeper network intrusion.
The use of valid digital signatures and legitimate update channels makes these attacks exceptionally difficult for standard antivirus tools to detect. By targeting specialized utility software, adversaries can establish persistence within niche industrial and scientific environments that may lack the rigorous security oversight of general IT segments.
– Immediately identify and quarantine any system running trojanized versions of Daemon Tools ❨12.5.0.2421 – 12.5.0.2434❩.
– Conduct a forensic audit of affected systems for unauthorized outbound connections and the presence of secondary backdoor implants.
– Rotate all credentials and session tokens that may have been accessed on workstations running the compromised software.
– Review and restrict the use of non-essential utility software on high-value systems within government and scientific segments.
Supply chain attacks on trusted utilities require an immediate shift to a forensic “assume breach” posture for any environment where the software was active. #CodeDefence #SupplyChain #DaemonTools #Backdoor #Espionage
/
