Emerging ThreatsSupply Chain Attacks

DAEMON Tools Breach Exposes Thousands to Malware

Analyst 207||Source: BleepingComputer
Concerned employees in a software development environment examine a computer screen and discuss an issue amidst rows of…

"Following an internal investigation, we identified unauthorized interference within our infrastructure." — Disc Soft Limited

Disc Soft confirms supply-chain trojanization and issues a clean build

Disc Soft Limited, the maker of DAEMON Tools Lite, acknowledged that certain installation packages in its build environment were released in a compromised state and said it has "secured its infrastructure." In its statement, the company said Version 12.6 of DAEMON Tools Lite, "which does not contain the suspected compromised files, was released on May 5." Disc Soft also said paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro are not affected and "can continue using their software as usual."

Kaspersky details scale, payloads, and tactics observed

Russian cybersecurity firm Kaspersky reported that trojanized DAEMON Tools Lite installers, signed and served from the official website since April 8, were used to backdoor "thousands of systems from more than 100 countries." The initial malicious binaries — installers with version numbers ranging "from 12.5.0.2421 to 12.5.0.2434" — dropped a first-stage information stealer that collected host identifiers and environment data, including hostname, MAC address, running processes, installed software, and system locale, then sent those details to attacker-controlled servers for profiling.

Based on profiling results, some victims received a second-stage payload: a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory. Kaspersky also observed deployment, in at least one case, of QUIC RAT, noted for its ability to inject code into legitimate processes and to operate over multiple communication protocols.

Who and where were impacted

Kaspersky identified infected devices across sectors and geographies. Retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand were among the enterprise victims recorded. Home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China were also observed with malicious payloads. The firm confirmed in a follow-up that the newly released DAEMON Tools Lite 12.6.0 (specifically 12.6.0.2445) "no longer shows the malicious behavior."

Immediate guidance issued to users and remediation steps

Disc Soft has removed the trojanized installers from distribution and now displays a warning prompting users to install the latest version from the official site. Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) since April 8 are advised by the vendor to uninstall that app, run a full system scan with security or antivirus software, and install DAEMON Tools Lite version 12.6 from the official website. Kaspersky's report and Disc Soft's update both indicate the vendor-published 12.6 release is intended to replace the compromised builds.

What this means for technologists, enterprises, and end users

  • Technologists and security teams: Verify whether any endpoints in your environment installed DAEMON Tools Lite installers dated after April 8, focus for indicators on installers with build numbers in the 12.5.0.2421–12.5.0.2434 range, and prioritize scans and removal where those installers were run. Note Kaspersky's description of the two-stage infection model—initial data collection followed by optional backdoor deployment—when triaging infected hosts.
  • Affected enterprises and procurement leaders: Review software deployment sources and build provenance for DAEMON Tools Lite installations across retail, scientific, government, and manufacturing assets. The incident underscores a need to confirm that delivered binaries match the vendor's clean 12.6.0.2445 release before redeployment.
  • End users and the general public: If you downloaded the free DAEMON Tools Lite 12.5.1 since April 8, follow the vendor advice: uninstall the compromised build, run a full antivirus or security scan, and reinstall DAEMON Tools Lite 12.6 from the official website. Disc Soft says paid DAEMON Tools editions were not affected.

Disc Soft has not yet attributed the intrusion to any specific threat actor, has not disclosed the attack vector used to access its systems, and says it continues to investigate. BleepingComputer contacted Disc Soft several times about the incident but "we have not yet received a response." Kaspersky's update confirms the vendor published a new, non-malicious build and characterizes the release as addressing the issue.

The record in the public reporting for now is straightforward: thousands of installs worldwide were trojanized via signed installers served from the official site, affected free builds have been pulled, and Disc Soft delivered DAEMON Tools Lite 12.6 (12.6.0.2445) as the vendor-stated remediation. Whether attribution, a root-cause vector, or further secondary payloads will surface as the investigation continues remains to be seen.

Read the original report: https://www.bleepingcomputer.com/news/security/daemon-tools-devs-confirm-breach-release-malware-free-version/

Emerging ThreatsMalwareSupply ChainDAEMON ToolsSoftware BreachTrojanizationDisc Soft Limited
Related Intelligence

Continue Reading

Dimly lit home network setup with outdated routers, tangled cables, and old equipment.

AryStinger Botnet Exploits Flaws in Thousands of D-Link Routers

Meet AryStinger, a sneaky botnet that's hijacked over 4,000 outdated D-Link routers worldwide, turning them into a powerful tool for hackers to carry out stealthy scans and attacks. This malware mastermind breaks down massive tasks into tiny chunks, distributing them across its zombie network for lightning-fast execution.

Analyst 207
Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207