Disc Soft confirms DAEMON Tools Lite supply chain attack exposed thousands of systems worldwide

Disc Soft Ltd., the software company behind the DAEMON Tools virtual drive utility, confirmed that its free DAEMON Tools Lite software was compromised in a supply chain attack that distributed malware through trojanized installers hosted on the company’s official website.

The company said the issue was isolated to the free version of DAEMON Tools Lite and did not affect other products, including DAEMON Tools Pro and DAEMON Tools Ultra. A clean version of the software, DAEMON Tools Lite 12.6, was released on May 5 after the company secured its infrastructure and removed the compromised installers.

“Within less than 12 hours of identifying the issue, we were able to implement a solution,” Disc Soft said. “Based on our current findings, the issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products.”

Disc Soft said its investigation identified unauthorized interference within the company’s infrastructure that impacted installation packages in its build environment. The company has not disclosed how attackers gained access to its systems or attributed the attack to a specific threat actor as the investigation remains ongoing.

The compromised installers affected DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 distributed since April 8. Users who downloaded or installed DAEMON Tools Lite version 12.5.1 during that period were advised to uninstall the application, perform a full antivirus or security scan and install the latest version directly from the official website.

Cybersecurity company Kaspersky  identified the attack and found that the trojanized installers were digitally signed and distributed through official download channels, allowing the malware to infect systems without raising immediate suspicion.

Once executed, the compromised installers deployed a first-stage information-stealing malware payload that collected system details including hostnames, MAC addresses, installed software, running processes and system locale data. The information was transmitted to attacker-controlled servers for victim profiling.

Selected victims then received a second-stage payload consisting of a lightweight backdoor capable of executing commands, downloading files and running code directly in system memory. In at least one observed case, researchers detected the deployment of QUIC RAT malware, which supports multiple communication protocols and can inject malicious code into legitimate processes.

The campaign impacted organizations and individuals across more than 100 countries. Researchers identified infected systems within retail, scientific, manufacturing and government organizations in Russia, Belarus and Thailand, as well as home users in countries including Brazil, Turkey, Spain, Germany, France, Italy and China.

Disc Soft said the trojanized version of DAEMON Tools Lite has been fully removed and is no longer supported. Users attempting to access the older release are now presented with warnings directing them to install the latest version.

Kaspersky confirmed that the newly released DAEMON Tools Lite 12.6.0.2445 no longer exhibits malicious behavior and appears free of the malware embedded in earlier compromised builds.