DAEMON Tools Devs Confirm Breach, Release Clean Version

Disc Soft Limited, the developer behind DAEMON Tools Lite, has confirmed that the software was compromised in a supply chain attack and has since released a clean, updated version to replace the trojanized installer.

“Within less than 12 hours of identifying the issue, we were able to implement a solution. Based on our current findings, the issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products,” the company told BleepingComputer. “We have not identified evidence supporting claims that all DAEMON Tools users were impacted, and at this stage, we are not in a position to confirm any impact on paid versions customers. Our current analysis indicates that DAEMON Tools Pro and DAEMON Tools Ultra were not affected and absolutely safe.”

In a separate statement published earlier today, Disc Soft said it has secured its infrastructure but has not yet attributed the attack to a specific threat actor or disclosed the attack vector used to access its systems, as the investigation continues.

“Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5,” the company stated. “Users of other DAEMON Tools products, including paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro are not affected by this incident and can continue using their software as usual.”

Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) on or after April 8 should uninstall the app, run a full system scan with security or antivirus software, and install the latest version (12.6) from the official website. Disc Soft has removed the trojanized version and now displays a warning prompt urging users to upgrade.

The breach was first reported by cybersecurity firm Kaspersky, which revealed on Tuesday that hackers had trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems across more than 100 countries. The compromised installers, digitally signed and ranging from version 12.5.0.2421 to 12.5.0.2434, were served from the official website starting April 8.

Once executed, the malicious code embedded in the binaries deployed a payload designed to establish persistence and activate a backdoor on system startup. The first-stage malware was a basic information stealer that collected system data,including hostname, MAC address, running processes, installed software, and system locale,and sent it to attacker-controlled servers for victim profiling. Based on the results, some infected systems received a second-stage payload: a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory.

In at least one case, Kaspersky observed the deployment of QUIC RAT malware, which can inject malicious code into legitimate processes and supports multiple communication protocols.

The investigation revealed that victims included retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand, as well as home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Today, Kaspersky updated its original report to confirm that DAEMON Tools Lite version 12.6.0, released yesterday, no longer exhibits malicious behavior. “Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it,” Kaspersky said. “The updated DAEMON Tools version 12.6.0.2445 no longer shows the malicious behavior.”