Kaspersky Uncovers Chinese Hackers’ Backdoor in Daemon Tools: A Widespread Supply Chain Attack

Security researchers at Kaspersky have identified a malicious backdoor embedded in the popular Windows disc imaging software, Daemon Tools. This discovery marks a significant supply chain attack that compromises thousands of computers globally.

According to a Tuesday report from the Russian cybersecurity firm, data collected from systems running Kaspersky’s antivirus software reveals a “widespread” campaign targeting Windows machines that use Daemon Tools. The hackers, linked to a Chinese-language speaking group based on malware analysis, exploited this backdoor to infiltrate a dozen high-value targets.

How the Chinese Hackers Backdoor Daemon Tools Works

Kaspersky’s investigation shows that the backdoor was first detected on April 8. The attackers used it to deploy additional malware on computers in the retail, scientific, and manufacturing sectors, as well as government systems. This selective targeting suggests a “targeted” effort, with victims located in Russia, Belarus, and Thailand.

The company noted that the supply chain attack remains “still active,” meaning the hackers can continue to plant malware on any system running the compromised software. This is a classic example of a supply chain attack, where malicious code is injected into legitimate software updates, affecting all users who download them.

The Mechanics of the Daemon Tools Backdoor

When TechCrunch downloaded the Windows installer from Daemon Tools’ official website, a check with the online malware scanner VirusTotal confirmed the presence of the backdoor. It remains unclear whether the macOS version of Daemon Tools or other Disc Soft applications are affected.

Kaspersky contacted Disc Soft, the company behind Daemon Tools, but did not disclose whether the developer responded or took immediate action. The ongoing nature of the attack raises concerns about the security of software supply chains.

Why This Supply Chain Attack Matters

This incident is part of a growing trend of supply chain attacks targeting popular software. Earlier this year, Chinese government-associated hackers hijacked the text editing software Notepad++ to deliver malware. Similarly, security researchers warned of an attack on CPUID, maker of HWMonitor and CPU-Z tools.

Supply chain attacks are particularly dangerous because they allow hackers to compromise a large number of systems at once by inserting malicious code into trusted software updates. This approach exploits the trust users place in legitimate applications, making it harder to detect.

For more insights on protecting your systems, read our guide on how to prevent supply chain attacks.

Response from Daemon Tools Developer Disc Soft

When contacted for comment, a Disc Soft representative stated they are “aware of the report and are currently investigating the situation.” The representative added, “Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users.”

This response indicates that Disc Soft is taking the threat seriously, but users should remain cautious. As the investigation unfolds, it is crucial for organizations using Daemon Tools to monitor for unusual activity and apply any security patches promptly.

What Users Should Do Now

If you use Daemon Tools on Windows, consider temporarily uninstalling the software until Disc Soft releases a clean update. Run a full antivirus scan with a reputable solution like Kaspersky or Malwarebytes to check for infections. Additionally, review your system for any signs of compromise, such as unexpected network traffic or new processes.

Building on this, organizations in the affected sectors should conduct a thorough security audit. Implementing strict software update policies and using endpoint detection tools can help mitigate risks. For further reading, check our article on best practices for software supply chain security.

Finally, stay informed about the latest cybersecurity threats. Following trusted security blogs and subscribing to threat intelligence feeds can provide early warnings. As this story develops, we will update with more details from Kaspersky and Disc Soft.