Severity: HIGH - Trusted Software Turned Into a Weapon

Kaspersky researchers have confirmed a live supply chain attack targeting DAEMON Tools, one of the most widely used virtual disk and optical drive emulation utilities in the world. Attackers have compromised the official distribution pipeline, embedding a malicious payload inside legitimate installers that are served directly from the DAEMON Tools website and signed with valid digital certificates.

This is not a phishing link or a cracked software download. This is the real, official installer, cryptographically signed to pass security checks, delivering malware to unsuspecting users and organizations.

The Threat: What Happened

In a supply chain attack, adversaries do not target your organization directly. They compromise a trusted software vendor upstream and let that vendor's own distribution infrastructure deliver the payload for them. In this case, DAEMON Tools' official website became the attack vector.

Key facts confirmed by Kaspersky:

  • Malicious installers are served from the legitimate DAEMON Tools domain, not a lookalike site
  • Installers carry valid digital code-signing certificates, meaning Windows SmartScreen and most AV tools will not flag them
  • The malicious payload is embedded directly inside the installer package, executing silently during what appears to be a normal software installation
  • The full scope of the payload (data exfiltration, remote access, ransomware staging) is still being analyzed

This attack follows the same playbook as the SolarWinds (2020) and 3CX (2023) supply chain compromises - incidents that caused billions of dollars in damage to organizations that believed they were running trusted, verified software.

Impact Assessment for East African Organizations

DAEMON Tools is commonly installed across IT departments, software development teams, and administrative workstations throughout East Africa. In Kenya, Ethiopia, Somalia, Uganda, and across the Horn of Africa, IT teams routinely use utilities like DAEMON Tools to mount ISO images for software deployment, OS installations, and license management - often without enterprise procurement controls or strict allowlisting policies.

Who is most at risk in our region:

  • Government IT departments (Kenya, Ethiopia, Somalia): Workstations used to manage national registries, tax systems, and citizen databases. A compromised endpoint in these environments can grant attackers access to sensitive citizen data and critical backend systems. This directly implicates Kenya's Data Protection Act 2019 obligations and Ethiopia's emerging data governance frameworks.
  • Banking and financial institutions: Banks operating under CBK (Central Bank of Kenya), National Bank of Ethiopia, and Central Bank of Somalia guidelines carry strict endpoint security obligations under PCI-DSS and local prudential regulations. A signed, trusted installer bypasses most endpoint controls and can establish persistent access to networks handling payment systems and SWIFT infrastructure.
  • Telecoms and critical infrastructure operators: IT administrators at power utilities and telecoms across the region regularly use disk mounting tools for system imaging and maintenance. Compromise of a single admin workstation in an OT-adjacent environment can cascade into operational disruption.
  • Software development firms and IT service providers: Developers using DAEMON Tools for ISO-based testing or software deployment workflows may unknowingly introduce this malware into client environments, creating a secondary supply chain risk specific to East Africa's growing tech ecosystem.

Immediate Actions - Do These Now

  • Audit all endpoints immediately: Identify every machine in your organization that has DAEMON Tools installed. Check installation dates and compare file hashes of your current installers against known-clean versions. Do not wait for your next scheduled vulnerability scan.
  • Block the DAEMON Tools installer domain at your perimeter: Temporarily prevent new downloads of DAEMON Tools from the official website until the vendor confirms the supply chain has been secured and clean installers are re-published with new, uncompromised certificates.
  • Hunt for indicators of compromise (IOCs): If your SOC has EDR (Endpoint Detection and Response) capability, initiate a threat hunt now. Look for unusual child processes spawned from DAEMON Tools installer executables, unexpected outbound connections, and new scheduled tasks or registry run keys created during or after installation.
  • Review your software allowlisting and procurement controls: This incident is a direct argument for enforcing application allowlisting using tools like Windows Defender Application Control (WDAC) or equivalent. Certificate-based trust alone is no longer sufficient - this attack proves that.
  • Notify your incident response chain: If you find evidence of compromise, escalate immediately under your IR plan. Organizations in Kenya should be aware of reporting obligations to the National KE-CIRT/CC. Financial institutions must also assess disclosure timelines under CBK cybersecurity directives.

DRONGO Recommendation

Supply chain attacks defeat perimeter-only defenses by design. DRONGO's Managed SOC and Endpoint Threat Hunting service provides East African organizations with the behavioral detection and IOC intelligence needed to catch exactly this class of threat - before it becomes a breach. Our team is actively monitoring this campaign for regional indicators.

Is your organization protected? Request a free security assessment.