DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

Kaspersky researchers have discovered a supply chain attack compromising DAEMON Tools installers. The malicious versions are distributed directly from DAEMON Tools' legitimate website and signed with authentic developer certificates, making detection difficult for users relying on signature verification.

The attack delivers a malicious payload through software installation packages that appear legitimate. Users downloading DAEMON Tools from the official website receive compromised installers that execute attacker-controlled code during installation. The use of valid digital signatures creates a false sense of security, bypassing standard validation checks that many organizations and individuals perform before executing software.

DAEMON Tools software facilitates disk imaging and virtual drive functionality, making it widely deployed across enterprise and consumer environments. Attackers exploiting this distribution channel gain direct access to user systems during the installation process, when privileges are elevated. This level of access enables installation of additional malware, lateral movement within networks, or data exfiltration.

Supply chain attacks of this nature represent heightened risk because they bypass traditional security boundaries. Users trusting legitimate vendors become unwitting infection vectors. Organizations cannot simply block DAEMON Tools downloads without disrupting operations if the software is integral to their workflows.

Kaspersky's identification of the compromise came through detection of the malicious payload itself, not through signature-based scanning. This indicates the attack remained undetected during active distribution, potentially affecting an unknown number of users.

Kaspersky researchers Igor Kuznetsov and Georgy Kucherin led the investigation. The finding underscores how attackers increasingly target software supply chains rather than end users directly, maximizing exposure and reducing detection likelihood.

Organizations using DAEMON Tools should immediately verify installer checksums against official sources and check systems for indicators of compromise. Users should update to patched versions once the vendor confirms the issue is resolved. This incident reinforces the necessity of behavioral monitoring alongside signature verification during software installation.