VYPR
breachPublished May 6, 2026· Updated May 17, 2026· 3 sources

DAEMON Tools Compromised in Global Supply Chain Attack

Disc Soft Limited has confirmed that its DAEMON Tools Lite software was compromised in a supply chain attack that distributed signed, trojanized installers to thousands of users globally.

Disc Soft Limited, the developer of the popular disk imaging software DAEMON Tools, has confirmed a supply chain attack that resulted in the distribution of trojanized installers via its official website. The compromise, which began around April 8, 2026, affected multiple releases of the free DAEMON Tools Lite version, specifically versions 12.5.0.2421 through 12.5.0.2434 BleepingComputer The Record.

The attack involved the unauthorized modification of three core binaries within the installation package: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe Help Net Security. These malicious files were signed with Disc Soft’s legitimate digital certificates, allowing them to bypass standard security warnings and appear trustworthy to users Help Net Security. Once executed, the trojanized installers deployed a .NET-based information stealer that harvested system data, including MAC addresses, hostnames, running processes, and installed software BleepingComputer Help Net Security.

Kaspersky researchers identified the campaign as a targeted operation. While thousands of systems across more than 100 countries were infected with the initial information collector, the attackers used this data to profile victims and selectively deploy more advanced payloads The Record Help Net Security. In a limited number of cases—targeting government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand—the attackers deployed a lightweight backdoor capable of executing commands and running code in memory BleepingComputer The Record. In at least one instance, this led to the deployment of "QUIC RAT," a sophisticated backdoor capable of injecting malicious code into legitimate system processes BleepingComputer Help Net Security.

Disc Soft acknowledged the breach following the disclosure by Kaspersky and released a clean version of the software, 12.6.0.2445, on May 5, 2026 BleepingComputer Help Net Security. The company stated that the issue was isolated to the free version of DAEMON Tools Lite and did not impact its Pro or Ultra products BleepingComputer. Users who installed the software since April 8 are advised to uninstall the application, perform a full system scan, and install the latest version from the official website BleepingComputer.

While the investigation into the root cause is ongoing, Disc Soft confirmed that the breach occurred due to "unauthorized interference" within its build environment BleepingComputer Help Net Security. Although researchers noted Chinese-language strings within the malicious code, no specific threat actor has been officially attributed to the campaign Help Net Security The Record.

This incident marks the fourth supply chain compromise identified by Kaspersky in 2026, following similar attacks on eScan, Notepad++, and CPUID Help Net Security. The trend highlights a growing preference among threat actors to target widely trusted software to achieve broad, initial access to both consumer and enterprise environments Help Net Security.

Synthesized by Vypr AI