Daemon Tools Developer Confirms Trojanized Software
▼ Summary
– Disc Soft released malware-free Daemon Tools Lite version 12.6 on May 5 after confirming a supply chain attack compromised version 12.5.1.
– The attack involved unauthorized interference in Disc Soft’s infrastructure, with compromised installation packages distributed from its website since April 8.
– Kaspersky reported thousands of infection attempts across over 100 countries, but further payloads targeted only a dozen organizations in retail, scientific, government, and manufacturing sectors.
– One victim in Russia was infected with Quic RAT, which injected payloads into system processes, suggesting a targeted campaign possibly for cyber-espionage or “big-game hunting.”
– Disc Soft contained the incident by isolating affected systems, auditing build pipelines, and strengthening security, urging users to uninstall the old version and download the new one.
The developer behind a widely used system utility tool has issued an urgent update after discovering that malicious actors had discreetly planted malware inside a prior release. Disc Soft, the company behind Daemon Tools Lite, rolled out the clean Version 12.6 on May 5, just 12 hours after learning of the supply chain attack.
“Following an internal investigation, we identified unauthorized interference within our infrastructure,” the firm stated in a May 7 announcement. “As a result, certain installation packages were impacted within our build environment and were released in a compromised state.”
The company confirmed that the incident is now contained and poses no ongoing threat to users. Disc Soft moved quickly to isolate and secure the affected systems, removed all potentially compromised files from distribution, and conducted a full audit of its build and release pipeline. Installation packages were rebuilt and validated, while internal security controls and monitoring systems were strengthened.
“All currently available versions of Daemon Tools Lite have been verified to ensure their integrity and safety,” the company added. “The affected version (12.5.1) has been removed and is no longer supported. The latest version (12.6.0.2445) no longer exhibits the behavior associated with the incident.”
Disc Soft urged anyone who downloaded the compromised version to take three steps: uninstall the application, run a full system scan with trusted security software, and download the latest version directly from the official website.
Earlier this week, Kaspersky warned that Daemon Tools installers distributed from the main website had been Trojanized since April 8. The cybersecurity firm reported observing thousands of infection attempts involving the software in its telemetry, with victims spanning more than 100 countries. However, only a dozen machines received further-stage payloads. Those targeted machines belonged to organizations in the retail, scientific, government, and manufacturing sectors, suggesting a targeted supply chain attack.
Kaspersky noted that the attacker’s ultimate goal remains unclear, pointing to both cyber-espionage and big-game hunting as possibilities. One victim, an educational institution in Russia, was infected with the Quic RAT malware, which can inject payloads into notepad.exe and conhost.exe processes. The majority of victims were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
“Given the high complexity of the attack, it is paramount for organizations to carefully examine machines that had Daemon Tools installed, for abnormal cybersecurity-related activities that occurred on or after April 8,” Kaspersky concluded.
(Source: Infosecurity Magazine)
