"Following an internal investigation, we identified unauthorized interference within our infrastructure," Disc Soft wrote on May 7 after confirming that malware had been hidden inside certain Daemon Tools Lite installers.
Disc Soft confirms tampered installers; issues clean build
Disc Soft, the developer of Daemon Tools Lite, said it released a malware-free Version 12.6 of the product on May 5, less than 12 hours after being notified of what it described as a supply chain attack. The company said certain installation packages "were impacted within our build environment and were released in a compromised state."
According to the developer, the firm has contained the incident by isolating and securing affected systems, removing all potentially compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring systems. Disc Soft stated that "all currently available versions of Daemon Tools Lite have been verified to ensure their integrity and safety," and that the affected version (12.5.1) "has been removed and is no longer supported." The latest version was listed as 12.6.0.2445.
Kaspersky: installers Trojanized since April 8; thousands of attempts
Cybersecurity vendor Kaspersky warned that Daemon Tools installers distributed from the main website had been Trojanized beginning April 8. The company reported seeing "several thousands of infection attempts involving Daemon Tools in our telemetry, with individuals and organizations in more than 100 countries being affected."
Despite the volume of attempts, Kaspersky said that "out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them," a detail that indicates the campaign employed selective follow‑on deployment rather than mass post‑infection activity.
Observed victims, targeting pattern and possible motivations
Kaspersky described the machines that received additional payloads as belonging to retail, scientific, government and manufacturing organizations — categories that the company said "indicates that the supply chain attack has a targeted manner." Most victims were reportedly located in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China.
On motive, Kaspersky suggested two possible end goals: cyber‑espionage and "big‑game hunting." The firm urged organizations to carefully examine machines that had Daemon Tools installed for abnormal cybersecurity‑related activities occurring on or after April 8.
Technical detail: Quic RAT observed on at least one victim
Kaspersky reported that one victim — an education institution in Russia — was infected with Quic RAT. The vendor noted that Quic RAT is capable of injecting payloads into notepad.exe and conhost.exe processes, a technique used to blend malicious activity into legitimate system processes.
Beyond that specific finding, Kaspersky's telemetry showed a wide geographic footprint for the initial infection attempts but a narrowly focused set of machines that received further payloads, underscoring the campaign's combination of broad distribution and selective follow‑through.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Kaspersky's observation that only about a dozen machines received second‑stage payloads means incident responders should treat signs of compromise seriously even if the number of confirmed follow‑on infections is small. The vendor advised scrutiny of machines with Daemon Tools installed for abnormal activity on or after April 8.
- Procurement and enterprise IT leaders: Organizations that obtained Daemon Tools from the official site should validate software inventory and ensure no installations of the removed 12.5.1 build remain on enterprise endpoints. Disc Soft said the affected build "has been removed and is no longer supported."
- End users: Disc Soft urged anyone who downloaded the affected version to uninstall the application, run a full system scan using trusted security software, and download the latest version from the official website. The developer also asserted that after containment steps there is "no ongoing risk for users."
The record in this case is straightforward: a widely used utility's installers were tampered with, a vendor and an independent security firm traced the timeframe and impacts, and remediation steps were published. Disc Soft provided a rebuilt installer (12.6.0.2445) and removed the compromised 12.5.1 package; Kaspersky urged investigation of systems with Daemon Tools dating back to April 8 and highlighted targeted follow‑up deployments and a Quic RAT infection on an education institution in Russia. For defenders and users, the immediate task is clear — verify builds, sweep devices for signs of compromise, and apply the cleaned installer from the official source.
