Security researchers have uncovered a sophisticated supply chain attack targeting users of the popular disk imaging utility DAEMON Tools. According to multiple reports, several versions of the Windows installer were trojanized to drop a persistent backdoor, aimed specifically at high-value targets in the government, defense, and manufacturing sectors.
The attackers successfully breached the primary distribution servers of DAEMON Tools, replacing legitimate binaries with malicious ones that were signed with a stolen but valid certificate. This allowed the installers to bypass Windows SmartScreen and traditional antivirus detection for several days. Once executed, the installer would perform its standard disk imaging tasks while silently deploying a modular RAT (Remote Access Trojan) into the %AppData% directory.
Initial telemetry suggests that the backdoor remained dormant on consumer machines but activated upon detecting domain-joined environments or specific industrial control software (ICS). The malware utilized Multipath Reliable Connection (MRC)-like techniques to tunnel encrypted command-and-control (C2) traffic through legitimate cloud services (S3 and Azure Blobs), making it nearly impossible to block via DNS filtering.
This incident follows a disturbing trend of "software-as-a-vector" attacks. By targeting a utility used by engineers and IT administrators, the threat actors gained a foothold in air-gapped or highly restricted networks where ISO imaging is still a common task for legacy system maintenance. This mirrors the 3CX and SolarWinds breaches but with a focus on specialized industrial endpoints.
Security Operations Centers (SOCs) are advised to:
*.blob.core.windows.net originating from unsigned processes.The DAEMON Tools attack serves as a stark reminder that even trusted, long-standing utilities can become liabilities if their supply chains are not rigorously audited.