Full Report
Researchers at Securelist by Kaspersky disclosed an ongoing supply chain attack targeting the official website of the widely... The post Kaspersky uncovers targeted DAEMON Tools supply chain attack affecting manufacturing, government sectors appeared first on Industrial Cyber.
Analysis Summary
# Incident Report: Targeted DAEMON Tools Supply Chain Attack
## Executive Summary
A sophisticated supply chain attack targeted the official website of DAEMON Tools, distributing trojanized software installers signed with legitimate digital certificates. While thousands of systems were globally infected with an initial information collector, the threat actor—identified as likely Chinese-speaking—selectively deployed advanced backdoors to a dozen high-value targets in the government, manufacturing, and scientific sectors. The campaign was remediated following disclosure to the vendor, resulting in a clean software update.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** April 8, 2026 – May 6, 2026
- **Affected Organization:** AVB Disc Soft (DAEMON Tools) and its global user base
- **Sector:** Software (Vector); Manufacturing, Government, Science, Retail (Targets)
- **Geography:** Global (100+ countries); Backdoor targets specifically in Russia, Belarus, and Thailand.
## Timeline of Events
### Initial Access
- **Date/Time:** April 8, 2026
- **Vector:** Supply Chain Compromise
- **Details:** Attackers compromised the legitimate DAEMON Tools website to distribute trojanized versions of the software (v12.5.0.2421 to 12.5.0.2434). The installers carried valid digital signatures from AVB Disc Soft.
### Lateral Movement
- **Details:** Following initial infection via the installer, the attackers used an "information collector" payload to profile compromised systems and identify high-value targets for further exploitation.
### Data Exfiltration/Impact
- **Details:** Thousands of machines received an information-gathering payload. A refined subset (approx. 12 organizations) received a complex second-stage backdoor capable of full system control and potential data exfiltration.
### Detection & Response
- **May 2026:** Kaspersky researchers identified the compromised installers and alerted AVB Disc Soft.
- **May 5, 2026:** Kaspersky updated KEDR Expert and MDR services with detection rules.
- **May 6, 2026:** AVB Disc Soft released version 12.6.0.2445 (a clean version) and Kaspersky deployed NDR/KATA detection for the malicious traffic.
## Attack Methodology
- **Initial Access:** Supply chain compromise of legitimate software distribution infrastructure.
- **Persistence:** Trojanized binaries established within the software installation directory.
- **Defense Evasion:** Use of legitimate digital certificates to bypass signature-based security controls.
- **Discovery:** Automated "Information Collector" used to filter for high-value targets based on system data.
- **Lateral Movement:** Selective deployment of a second-stage backdoor.
- **Impact:** Potential cyberespionage or "big game hunting" (financial extortion), though final intent remains under investigation.
## Impact Assessment
- **Financial:** Unknown; potential for high-value ransomware or intellectual property theft.
- **Data Breach:** Information collection from thousands of users; deep access into 12 targeted organizations.
- **Operational:** Disruption of secure supply chains; requirement for emergency patching of disk imaging software.
- **Reputational:** High impact to AVB Disc Soft due to the compromise of their signing certificates and official distribution channel.
## Indicators of Compromise
- **Network:** [Defanged traffic patterns and C2 communication monitored by Kaspersky KATA/NDR]
- **File:** DAEMON Tools Installer versions 12.5.0.2421 through 12.5.0.2434.
- **Behavioral:** Execution of unsigned or anomalous sub-processes from the `DAEMON Tools Lite` directory; unexpected outbound connections.
## Response Actions
- **Containment:** Vendor removed trojanized files from the official website.
- **Eradication:** Release of clean software version 12.6.0.2445.
- **Recovery:** Public disclosure and issuance of detection signatures for security products to identify and remove existing infections.
## Lessons Learned
- **Trust Maturity:** Legitimate digital signatures are not a guarantee of security; supply chains remain a primary blind spot.
- **Targeting Nuance:** Widespread "spray-and-pray" initial infections are often precursors to highly surgical, quiet second-stage operations.
- **Verification:** Organizations should implement integrity checks and monitor the behavior of even "trusted" third-party software updates.
## Recommendations
- **Binary Monitoring:** Use EDR/MDR solutions to monitor for unusual child processes spawned by trusted applications.
- **Software Integrity:** Implement hash verification for all installers downloaded from the internet, cross-referencing with known clean baselines.
- **Network Segmentation:** Ensure that highly sensitive sectors (Government/Manufacturing) isolate workstations used for general-purpose utility software from critical production networks.