DAEMON Tools devs confirm breach, release malware-free version
Source: Bleeping Computer
Incident Overview
Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software was trojanized in a supply‑chain attack. The compromised versions were free DAEMON Tools Lite builds released between April 8 and May 5 (versions 12.5.0.2421 to 12.5.0.2434).
The company released a clean version (12.6) on May 5 and removed the trojanized installers from its website.
Company Response
- Within 12 hours of identifying the issue, Disc Soft implemented a solution and issued a statement to BleepingComputer.
- The breach was limited to the free DAEMON Tools Lite version; paid versions (DAEMON Tools Pro, Ultra, and paid Lite) were not affected.
- Disc Soft secured its infrastructure but has not yet attributed the attack to a specific threat actor or disclosed the attack vector.
- Users of the compromised free version (12.5.1) are advised to:
- Uninstall the application.
- Run a full system scan with security/antivirus software.
- Install the latest version (12.6) from the official website.
“Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.” – Disc Soft statement
Technical Details of the Malware
-
The trojanized installers were digitally signed, making them appear legitimate.
-
After execution, the malicious code deployed a first‑stage information stealer that collected:
- Hostname, MAC address
- Running processes
- Installed software
- System locale
The data was sent to attacker‑controlled servers for victim profiling.
-
Based on the profiling results, some systems received a second‑stage lightweight backdoor capable of:
- Executing commands
- Downloading files
- Running code directly in memory
-
In at least one observed case, the backdoor was a QUIC RAT that can inject malicious code into legitimate processes and supports multiple communication protocols.
Impact and Victims
Kaspersky’s investigation identified victims across various sectors and regions, including:
- Sectors: Retail, scientific, government, manufacturing, and home users.
- Countries: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China, among others.
Thousands of systems from more than 100 countries were infected after downloading the compromised installers from the official website.
Kaspersky Update
In an update to its original report, Kaspersky confirmed that the newly released DAEMON Tools Lite 12.6.0 no longer exhibits malicious behavior.
“Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it. The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior.” – Kaspersky
Update May 06, 14:09 EDT: Added Disc Soft statement.