A popular Windows utility is at the center of a new supply-chain warning

Kaspersky says it has identified a malicious backdoor inside Daemon Tools, the long-running Windows disc imaging application, in what the cybersecurity company describes as a widespread and still-active attack. Based on data gathered from computers running Kaspersky antivirus software, the company said the campaign has generated thousands of infection attempts and led to additional malware being deployed on at least a dozen compromised systems.

The case fits a pattern that security teams have become increasingly concerned about: attackers compromising trusted software distribution channels to reach a large number of downstream users at once. Instead of breaching each target individually, a supply-chain operation can turn an ordinary software installation or update into the initial access point.

What Kaspersky says it found

According to Kaspersky, the backdoor was first detected on April 8. The company linked the operation to a Chinese-language-speaking group based on its analysis of the malware. It said the malicious code in Daemon Tools was then used to install additional malware on selected victim machines.

Kaspersky described the broader activity as widespread, but it also said the follow-on compromises appear targeted. The affected organizations identified in that narrower set span retail, scientific and manufacturing sectors, as well as government systems. The company said those targeted organizations are located in Russia, Belarus and Thailand.

That distinction matters. A supply-chain compromise can cast a very wide net, but operators do not always pursue every infected machine equally. In this case, Kaspersky’s description suggests that broad exposure through a popular utility may have been used to identify or reach a smaller set of higher-value targets.

Hackers steal students' data during breach at education tech giant Instructure | TechCrunch
More in News

Instructure Confirms Student Data Breach as Extortion Gang Claims Massive Theft

Education technology company Instructure says student information was exposed in a breach, while the hacking group ShinyHunters claims the incident may have affected thousands of schools using the company’s platforms.

Read article

Why supply-chain attacks remain hard to contain

Supply-chain incidents are uniquely disruptive because they exploit trust. Users often assume software obtained from an official vendor site is safe. Administrators may also whitelist well-known utilities or treat their installers as routine. Once malicious code is introduced into that path, defenders are forced to reassess not just a single machine, but the integrity of an entire delivery channel.

Kaspersky said the attack is still active, which raises the stakes for anyone who may have recently downloaded or installed the Windows version of Daemon Tools. TechCrunch reported that it downloaded the Windows installer from the Daemon Tools website and found that the file appeared to contain the backdoor when checked with VirusTotal. It remains unclear whether the macOS version was affected or whether other Disc Soft applications were compromised.

Vendor response and open questions

Kaspersky said it contacted Disc Soft, the company behind Daemon Tools, though it did not say whether the developer had initially responded or taken action. TechCrunch, citing a company representative, reported that Disc Soft is aware of the report and is investigating. The representative said the company was treating the matter as a high priority but was not yet in a position to confirm the specific details referenced in the report.

That leaves several important questions unresolved: how the malicious code was introduced, how long compromised installers were available, whether any signing or build systems were affected, and whether users outside the identified targeted countries were also exposed. Those answers will shape both the scope of the incident and the remediation steps that organizations need to take.

A GameStop retail store inside a mall.
More in News

GameStop’s $55.5 Billion Bid for eBay Tests the Limits of Meme-Era Ambition

GameStop has made an unsolicited $55.5 billion offer for eBay, arguing that its store network could strengthen authentication, fulfillment, and live commerce. The proposal immediately raised a harder question: how a much

Read article

Part of a broader trend

The warning lands amid a run of recent attacks that have targeted developers or software distribution infrastructure to push malicious code downstream. Kaspersky framed the Daemon Tools case as the latest in a string of supply-chain incidents affecting popular software. The attraction for attackers is obvious: compromising a trusted software path can provide scale, persistence and plausible cover in a single move.

For defenders, the lesson is equally familiar. Reputation alone is not a sufficient security control, and software provenance checks need to extend beyond brand recognition. Enterprises that allow widely used utilities onto endpoints may now need to verify recent installations of Daemon Tools, look for follow-on malware activity and watch for further guidance from both Kaspersky and Disc Soft.

Until the investigation is clearer, the Daemon Tools incident stands as another reminder that one compromised installer can become the entry point for a much larger campaign.

This article is based on reporting by TechCrunch. Read the original article.

Originally published on techcrunch.com