Supply‑Chain Attack Compromises Daemon Tools Installers, Infecting Users in 100+ Countries
What Happened — Attackers tampered with the official installers of Daemon Tools Lite (versions 12.5.0.2421‑12.5.0.2434) and distributed the malicious binaries through the vendor’s website. The compromised packages first appeared in early April 2024, delivering a basic system‑information collector to most victims and a more advanced backdoor that deployed the Quic RAT implant against a handful of targeted organizations.
Why It Matters for TPRM —
- Demonstrates the high risk of third‑party software supply‑chain compromises, even for widely‑used utility tools.
- Shows that attackers can use a “low‑profile” data collector to profile victims before rolling out sophisticated payloads.
- Highlights the need for continuous verification of software provenance and rapid patching of third‑party products.
Who Is Affected — Government, scientific research, manufacturing, retail, and education sectors across more than 100 countries; primarily users of the free Daemon Tools Lite version.
Recommended Actions —
- Instruct all vendors and internal users to upgrade to the latest Daemon Tools Lite release immediately.
- Verify installer integrity via hash comparison or signed binaries before deployment.
- Deploy endpoint detection to hunt for the “Quic RAT” backdoor and unknown startup components.
- Review third‑party risk controls for software distribution channels and enforce code‑signing policies.
Technical Notes — Attack vector: supply‑chain compromise of installer binaries; no public CVE. Malware includes a lightweight information‑gathering module and a backdoor that loads the Quic RAT remote‑access tool. Chinese‑language strings suggest a Chinese‑speaking threat actor, though attribution remains unconfirmed. Source: The Record