Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version.
In a statement published earlier today, Disc Soft says it has secured its infrastructure. Still, it has yet to attribute the attack to a specific threat actor or share additional information about the breach, including the attack vector used to access its systems, as it continues to investigate the incident.
“Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.” the company said.
“Users of other DAEMON Tools products, including paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro are not affected by this incident and can continue using their software as usual.”
Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) since April 8 are advised to uninstall the app, run a full system scan using security or antivirus software, and install the latest version of DAEMON Tools Lite (12.6) from the official website.
Disc Soft has removed the trojanized version, which is no longer supported, and now displays a warning prompting users to install the latest version of DAEMON Tools Lite.
As cybersecurity company Kaspersky revealed on Tuesday, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8.
After the unsuspecting users executed the digitally signed trojanized installers (versions ranging from 12.5.0.2421 to 12.5.0.2434), the malicious code embedded in the compromised binaries deployed a payload designed to establish persistence and activate a backdoor on system startup.
The first-stage malware dropped in the attack was a basic information stealer that collected system data (including hostname, MAC address, running processes, installed software, and system locale) and sent it to attacker-controlled servers for victim profiling. Based on the results, some of the infected systems received a second stage, a lightweight backdoor that can execute commands, download files, and run code directly in memory.
In at least one case, Kaspersky observed the deployment of a QUIC RAT malware, which can inject malicious code into legitimate processes and supports multiple communication protocols.
While investigating the attack, Kaspersky found that retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand, as well as home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, were among the victims whose devices were infected with malicious payloads.
Today, in an update to the original report, the Russian cybersecurity company confirmed that DAEMON Tools Lite 12.6.0, released yesterday, no longer exhibits malicious behavior.
“Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it,” Kaspersky said. “The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior.”
BleepingComputer contacted Disc Soft several times regarding the incident, but we have not yet received a response.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
