Disc Soft, the developer behind DAEMON Tools, has confirmed that its widely used DAEMON Tools Lite software was compromised in a supply chain attack, resulting in trojanized installers being distributed to users.
The company stated that unauthorized interference within its infrastructure led to modified installation packages being released in a compromised state. The issue was identified and addressed within hours, with a clean version, DAEMON Tools Lite 12.6, released on May 5.
At time of publication, no threat actor has been publicly attributed to the attack, and the initial access vector remains undisclosed.
Compromised installers distributed from official source
The trojanized versions, identified as builds ranging from 12.5.0.2421 to 12.5.0.2434, were reportedly available for download from the official DAEMON Tools website beginning April 8. This indicates that the attack targeted the software supply chain directly rather than relying on third-party distribution channels.
Disc Soft confirmed that only the free version of DAEMON Tools Lite was affected. Paid versions, including DAEMON Tools Pro and DAEMON Tools Ultra, were not impacted according to the company’s current investigation.
Malware chain enabled profiling and persistent access
Security researchers identified that the compromised installers deployed a multi-stage malware payload upon execution. The first stage acted as an information stealer, collecting system-level data such as hostname, MAC address, installed software, running processes, and system locale.
This data was transmitted to attacker-controlled infrastructure, allowing operators to profile infected systems. Based on this profiling, selected victims received a second-stage payload consisting of a lightweight backdoor capable of executing commands, downloading files, and running code in memory.
In at least one observed case, attackers deployed QUIC RAT, a remote access tool capable of injecting malicious code into legitimate processes and communicating over multiple protocols.
Global impact across individuals and organizations
The campaign affected thousands of systems across more than 100 countries. Victims included both individual users and organizations spanning sectors such as retail, government, manufacturing, and scientific research.
Geographic impact included infections identified in Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, and China, highlighting the broad reach of the compromised distribution channel.
Vendor response and remediation steps
Disc Soft stated it secured its infrastructure and removed all compromised packages from distribution. The company emphasized that DAEMON Tools Lite version 12.6.0.2445 no longer contains malicious code and is safe to install.
Users who downloaded or installed DAEMON Tools Lite version 12.5.1 or related builds since April 8 are advised to:
- Uninstall the affected software immediately
- Perform a full system scan using trusted security tools
- Install the latest clean version from the official website
The company has also implemented warnings for users attempting to install outdated or unsupported versions, prompting them to upgrade to the patched release.
Supply chain compromise highlights persistent risk
This incident underscores the ongoing risk of software supply chain attacks, where trusted distribution mechanisms are compromised to deliver malware at scale. Similar attack patterns have been observed in prior incidents, including the Axios library supply chain attack, the Cisco Trivy supply chain compromise, and TeamPCP’s supply chain attack targeting developer environments.
By leveraging digitally signed installers from an official source, attackers were able to bypass traditional security expectations and infect systems without raising immediate suspicion.
The lack of attribution and limited technical disclosure leaves open questions about how attackers gained access to the build environment and whether additional safeguards are needed across similar software distribution pipelines.
As investigations continue, the incident serves as a reminder that even widely trusted tools can become vectors for compromise when development or release infrastructure is breached.
