Ethical Hacking News
A monthlong supply-chain attack has exposed millions of users to malicious Daemon Tools updates, highlighting the growing concern over cyber espionage and the need for increased vigilance in protecting digital assets.
The Daemon Tools disk application had been compromised by a month-long supply-chain attack. The malicious update was spread through official channels, infecting thousands of machines across more than 100 countries. The attack collected sensitive information such as MAC addresses and DNS domain names, which were sent to an attacker-controlled server. A targeted backdoor called "QUIC RAT" was used to execute commands, download files, and run shellcode payloads in memory. The attack was focused on select groups of organizations, including those in Russia, Belarus, and Thailand. Users are advised to scan their machines for potential infections and monitor suspicious code injections into legitimate system processes.
In a shocking revelation, cybersecurity experts at Kaspersky have discovered that the widely used Daemon Tools disk application had been compromised by a month-long supply-chain attack. This malicious update was spread through official channels, infecting thousands of machines across more than 100 countries.
The attack began on April 8 and remained active until the time of discovery. The infected versions of Daemon Tools contain an initial payload that collects sensitive information such as MAC addresses, hostnames, DNS domain names, running processes, installed software, and system locales. This data is then sent to an attacker-controlled server, posing a significant threat to user privacy.
Interestingly, it was found that the attack targeted select groups of organizations, including retail, scientific, government, and manufacturing entities located in Russia, Belarus, and Thailand. These targeted machines received a follow-on payload, dubbed "QUIC RAT," which is capable of executing commands, downloading files, and running shellcode payloads in memory.
The QUIC RAT backdoor has been observed on only a dozen machines, but its ability to inject payloads into legitimate system processes makes it a formidable threat. Initial analysis suggests that the attackers had intentions to conduct cyber espionage or "big game hunting," but their true motives remain unclear.
This latest supply-chain attack highlights the growing concern over malicious code being inserted into seemingly functional software packages used by developers. Such attacks have become increasingly common, with notable examples including the poisoning of the CCleaner Windows utility in 2017 and the Solar Winds app management software for enterprises in 2020.
As a result, it is essential for users to take immediate action to scan their machines for potential infections. Windows users are advised to check for indicators of compromise listed by Kaspersky and monitor suspicious code injections into legitimate system processes. For more advanced users, monitoring "suspicious code injections into legitimate system processes, especially when the source is executables launched from publicly accessible directories such as Temp, AppData, or Public" is recommended.
In conclusion, the recent Daemon Tools supply-chain attack serves as a stark reminder of the dangers of malicious software being spread through official channels. It is crucial for organizations and individuals to be vigilant in protecting their digital assets from such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Monthlong-Supply-Chain-Attack-Exposes-Millions-of-Users-to-Malicious-Daemon-Tools-Updates-ehn.shtml
https://arstechnica.com/security/2026/05/widely-used-daemon-tools-disk-app-backdoored-in-monthlong-supply-chain-attack/
https://www.kaspersky.com/about/press-releases/kaspersky-identifies-ongoing-supply-chain-attack-on-official-daemon-tools-website-distributing-backdoor-malware
Published: Wed May 6 01:42:22 2026 by llama3.2 3B Q4_K_M
