Daemon Tools backdoored for a month straight — millions of users unknowingly infected through updates

Millions of people who trusted Daemon Tools to manage virtual disk images on their computers were unknowingly running malware for an entire month.

The widely used disk-management software became the vehicle for a supply-chain attack that exploited the update mechanism itself—the very system users rely on to patch vulnerabilities and stay secure. Between the compromised updates and the discovery of the backdoor, attackers had a window to silently infiltrate machines across the globe, potentially capturing sensitive data or establishing persistent access to infected systems.

Daemon Tools, a legitimate and popular application used by millions to mount and manage ISO files and virtual disks, had its update infrastructure compromised. Rather than users downloading malware from a phishing link or visiting a fake website, the malicious code arrived through the normal update process—making it nearly impossible for ordinary users to detect without specialized security tools.

The monthlong duration of the attack is particularly significant. Unlike a brief, quickly-patched vulnerability, this window allowed the backdoor to spread widely before detection. Every user who updated their Daemon Tools installation during this period received the malicious version. Security researchers eventually identified the compromise, but by then the damage—in terms of potential infections and data exposure—was already done.

Why Are Supply-Chain Attacks So Effective?

Supply-chain attacks like this one represent a fundamental shift in how cybercriminals target large populations. Rather than attacking individual users or companies directly, attackers compromise the software or services that millions of people depend on. When successful, a single compromise can affect far more people than traditional hacking methods. The Daemon Tools attack demonstrates how effective this strategy can be: the software’s legitimate reputation and automatic update mechanism became weapons against its own user base.

According to research published in PMC, security improvements in the software supply chain specifically address challenges seen in major attacks like SolarWinds, where update mechanisms become the primary attack vector. The SolarWinds hack demonstrated how attackers can weaponize trusted software distribution channels to reach thousands of organizations simultaneously.

The attack also highlights a painful reality for security: even users who follow best practices—keeping software updated, using trusted applications, maintaining their systems—can still be compromised. Daemon Tools users who diligently installed updates were actually installing malware, through no fault of their own. This puts the burden of detection and remediation on individual users rather than on the companies whose infrastructure was breached.

How Can You Tell If Your System Was Compromised?

For anyone who uses or used Daemon Tools, the immediate concern is whether their machine was infected during the compromised update window. Infections from supply-chain attacks like this can range from data-stealing malware to remote-access trojans that give attackers ongoing control of a system. Some variants establish persistence, meaning they continue running even after a reboot or software reinstall.

Security researchers have identified the backdoor and published technical details about how it operated. The next step for affected users is determining whether their systems were compromised and, if so, removing the malware completely. This is not a simple task for non-technical users—malware from supply-chain attacks is often designed to hide from standard antivirus scans and system tools.

Recent attacks have shown how remote-access software can be weaponized against organizations, with attackers maintaining persistent access for months before detection.

What Makes Software Updates Vulnerable to Attack?

The incident raises hard questions about how software distribution and update mechanisms can be better secured. Daemon Tools users had no way to verify that their update was legitimate before installing it. Code-signing certificates—digital signatures that prove software comes from the claimed publisher—can help, but they are not foolproof. Attackers who gain access to a company’s signing infrastructure or certificates can create updates that appear completely legitimate.

Analysis by ScienceDirect demonstrates that during compromise periods, client projects cannot update vulnerable dependencies because legitimate security patches become unavailable while malicious versions circulate through official channels.

For users who rely on Daemon Tools, the immediate action is to scan their systems with reputable security software, particularly tools designed to detect rootkits and persistent malware. Checking system logs for unusual activity, reviewing installed programs for unfamiliar software, and monitoring network connections for suspicious outbound traffic are also recommended steps. If a machine was infected, a full system backup should not be trusted, as the malware may have been included in the backup itself.

This attack also underscores why security researchers and antivirus companies maintain databases of known compromised software versions. Services like VirusTotal and haveibeenpwned track breaches and compromised files, allowing users to verify whether specific software versions they downloaded were malicious. The Checkmarx GitHub leak illustrates how even security companies themselves can become targets in supply chain attacks.

The Daemon Tools backdoor will likely become a case study in how supply-chain attacks work and why they are so effective. For the millions of users who installed updates during the compromised window, it’s a stark reminder that trust in software vendors, while necessary, is not sufficient protection on its own. The attack succeeded precisely because users did everything right—they updated their software.