If you were a PC gamer and BitTorrent user in the 2000s through the early 2010s, you were probably familiar with DAEMON Tools. The software allows users to mount disk images as if they were physical disks in a physical drive. Well, it turns out the software is still around and has been compromised since at least April 8, 2026. As Kaspersky Securelist reports:
In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed.
The fact that the attacker has been distributing malicious binaries signed with the official cert on the official website for nearly a month (and counting) would seem to indicate a pretty deep level of compromise. While Kaspersky observed the malicious software on thousands of machines, a handful of high-value targets appear to have been targeted for further exploitation:
Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. […] However, the other backdoor payload, which is more complex, has been observed only on a dozen machines of government, scientific, manufacturing and retail organizations located in Russia, Belarus and Thailand. This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.
Software supply chain compromises have become increasingly common and high-profile. For example, the recent LiteLLM hack led directly to a massive data leak at Mercor, an AI training data company valued at $10 USD last year. The future of the once high-flying startup is now in question.
It is clear that the old model of basically trusting the software we install our computers does not work. Doing due diligence on every piece of software you want to install is infeasible, since a single package can pull in numerous dependencies, which themselves have dependencies. While some solutions such as dependency cooldowns have been proposed, what we really need is a complete rethink of how we build and use the software ecosystem.