Disc Soft Patches DAEMON Tools Lite Supply‑Chain Breach, Issues Clean Version 12.6

Context On May 5, Disc Soft Limited announced that its free DAEMON Tools Lite 12.5.1 installer had been compromised. The malicious binaries were distributed from the official website between April 8 and early May, affecting users in more than 100 countries. Kaspersky’s telemetry showed the trojanized files installed a two‑stage payload: an information stealer followed by a lightweight backdoor, with occasional deployment of the QUIC RAT remote‑access tool.

Key Facts - The compromised installers (versions 12.5.0.2421‑12.5.0.2434) were digitally signed, allowing them to bypass basic trust checks. After execution, the first‑stage malware collected system identifiers, process lists, and installed software, then reported to attacker servers. Selected victims received a second‑stage backdoor capable of command execution, file download, and in‑memory code injection. - Kaspersky observed infections across retail, scientific, government, and manufacturing sectors in Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, and China. - Disc Soft’s internal investigation identified unauthorized interference in its build environment, leading to the release of the tainted packages. The company states that only the free version was affected; paid products (DAEMON Tools Pro, Ultra, and paid Lite) remain clean. - Within 12 hours of discovery, Disc Soft built and published DAEMON Tools Lite 12.6 (build 12.6.0.2445) from a secured infrastructure. The new installer displays a warning for older versions and no longer contains malicious code. - Users who installed the free version after April 8 are instructed to uninstall the software, run a full antivirus scan, and download the clean 12.6 release from the official site.

What It Means The incident highlights the risk of supply‑chain compromise even for widely trusted utilities. Attackers leveraged a trusted code‑signing certificate to inject a backdoor, demonstrating that digital signatures alone do not guarantee safety. Organizations that rely on DAEMON Tools Lite for imaging or mounting ISO files should treat any system with the compromised installer as potentially breached and conduct thorough forensic analysis.

Mitigations - Immediately uninstall DAEMON Tools Lite 12.5.1 or any version prior to 12.6.0.2445. - Run a full system scan with up‑to‑date antivirus or endpoint detection and response (EDR) tools; look for indicators of compromise such as the information‑stealer payload hash or network traffic to known C2 domains. - Deploy detection signatures for the first‑stage stealer and the QUIC RAT backdoor; many vendors have released YARA rules and IDS signatures following Kaspersky’s advisory. - Review logs for unexpected scheduled tasks or registry run keys that could indicate persistence mechanisms. - Verify code‑signing certificates used by third‑party installers; consider implementing a whitelist that only allows binaries signed by vetted publishers. - For enterprises, isolate any machine that ran the compromised installer until it can be fully remediated and re‑imaged.

What to Watch Next Monitor Disc Soft’s forthcoming technical bulletin for details on the attack vector and any additional hardening steps for its build pipeline.