Disc Soft Patches DAEMON Tools Lite Supply‑Chain Trojan in Under 12 Hours

Context Disc Soft Limited, the developer of the virtual‑drive utility DAEMON Tools Lite, confirmed that free‑version installers distributed from April 8 were trojanized. The malicious binaries were signed with the vendor’s certificate, allowing them to bypass basic trust checks.

Key Facts - Attackers altered build‑environment packages, releasing compromised installers (versions 12.5.0.2421‑12.5.0.2434). When executed, the first‑stage payload collected system identifiers, running processes, installed software and locale, then sent the data to remote servers. - Based on victim profiling, a second‑stage lightweight backdoor was delivered to a subset of machines. The backdoor could execute commands, download files and run code in memory, and in at least one case deployed the QUIC RAT, a tool that injects code into legitimate processes. - Kaspersky observed infections across retail, scientific, government and manufacturing sectors in Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy and China. Thousands of systems were compromised. - Disc Soft’s internal investigation identified unauthorized interference in its build infrastructure. The company limited the impact to the free Lite version; paid products (Lite Pro, Ultra, Pro) remained clean. - Within less than 12 hours of detection, Disc Soft issued version 12.6 (build 12.6.0.2445) from the official site, removed the trojanized files and added a warning prompting users to upgrade. - Kaspersky confirmed the new version no longer exhibits malicious behavior.

What It Means The incident demonstrates the risk of supply‑chain compromise even for widely used freeware. Attackers leveraged a trusted code‑signing certificate to distribute malware, a tactic catalogued as MITRE ATT&CK T1195 (Supply Chain Compromise). The rapid vendor response limited exposure, but the episode underscores the need for continuous integrity verification of software binaries.

Mitigations - Uninstall any DAEMON Tools Lite version 12.5.x installed after April 8. - Download version 12.6 only from the official Disc Soft website; verify the file’s hash against the vendor’s published checksum. - Run a full system scan with up‑to‑date antivirus; quarantine any detected backdoor components. - Enable application whitelisting or use Windows Defender Application Control to block unsigned or unexpected executables. - Monitor network traffic for outbound connections to unknown IPs, especially over QUIC (UDP‑based) protocols. - Apply the latest OS patches and consider deploying endpoint detection and response (EDR) solutions that can flag the ATT&CK techniques used (T1059 – Command Execution, T1105 – Ingress Tool Transfer).

Looking Ahead Watch for further disclosures from Disc Soft on the attack vector and any attribution to a specific threat group, as well as updates to code‑signing security practices across the software supply chain.