Daemon Tools Developer Confirms Software Was Trojanized in Supply Chain Attack
Disc Soft confirmed that Daemon Tools Lite version 12.5.1 was trojanized in a supply chain attack, with malicious installers distributed from the official website since April 8.
Disc Soft, the developer of Daemon Tools Lite, has confirmed that version 12.5.1 of its popular utility software was trojanized in a supply chain attack. The malicious installers were distributed from the official website starting April 8, potentially affecting thousands of users worldwide. The company released a clean version 12.6.0.2445 on May 5, less than 12 hours after being notified of the compromise.
According to a statement from Disc Soft, the attack involved unauthorized interference within their infrastructure, leading to compromised installation packages in the build environment. The company has since isolated affected systems, removed all potentially compromised files, and audited the build and release pipeline. They have also strengthened internal security controls and monitoring to prevent future incidents.
Kaspersky, which first reported the campaign, observed thousands of infection attempts across more than 100 countries. However, only a dozen organizations received further-stage payloads, indicating a targeted approach. The affected sectors include retail, scientific, government, and manufacturing. One victim, an educational institution in Russia, was infected with Quic RAT, a malware that injects payloads into legitimate processes like notepad.exe and conhost.exe.
The end goal of the attack remains unclear, with Kaspersky suggesting both cyber-espionage and big-game hunting as possibilities. Most victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The campaign is believed to be linked to a China-linked backdoor operation, though attribution has not been confirmed.
Disc Soft has urged all users who downloaded the affected version to uninstall the application, run a full system scan with trusted security software, and download the latest version from the official website. The company emphasized that all currently available versions have been verified as safe.
This incident highlights the growing threat of supply chain attacks, where adversaries compromise trusted software distribution channels to deliver malware. Organizations are advised to carefully examine machines that had Daemon Tools installed for any abnormal cybersecurity-related activities occurring on or after April 8.