Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack

Daemon Tools, a widely installed disk virtualization application used by millions, was compromised in a supply-chain attack that lasted approximately one month before detection. The backdoored version of the software infected user machines with stealthy malware during the compromise window.

The attack represents a classic supply-chain vulnerability where threat actors gain control of legitimate software distribution channels to inject malicious code. Rather than attacking individual users, adversaries compromise the software vendor itself, ensuring widespread deployment of malware through trusted update mechanisms. Users who downloaded or updated Daemon Tools during the affected period likely installed the compromised version without realizing their systems were being infected.

Daemon Tools is a legitimate utility for creating and managing virtual disk drives, making it a high-value target for attackers. The application's prevalence across enterprise and consumer systems amplified the potential reach of this campaign. The month-long window before detection suggests attackers maintained access to the supply chain for an extended period, maximizing infection rates before security researchers identified the compromise.

The incident underscores persistent vulnerabilities in software distribution pipelines. Even applications with strong reputations and large user bases face supply-chain risks. Developers often lack robust signing verification, update transparency, and integrity monitoring that would catch such compromises faster.

Security researchers have confirmed the backdoored versions, and Ars Technica reports users should immediately scan their machines for infections using updated antivirus tools. Organizations deploying Daemon Tools at scale should treat this as a critical incident requiring network forensics to identify compromised systems and lateral movement.

Daemon Tools has not yet released detailed technical analysis of the compromise vector. Whether attackers accessed developer credentials, compromised build infrastructure, or infiltrated their update servers remains unclear. This knowledge gap hinders organizations' ability to assess their risk exposure and recovery strategies.

This attack joins a growing list of supply-chain compromises affecting software development ecosystems. S