DAEMON Tools Supply-Chain Attack: Trojanized Installers Served from Official Site for a Month

Security researchers at Kaspersky have uncovered a supply-chain attack targeting DAEMON Tools Lite, where trojanized Windows installers were distributed from the official website for nearly a month — from April 8 through early May 2026. The compromised installers affected versions 12.5.0.2421 through 12.5.0.2434 and the free 12.5.1 release.

The malicious code was embedded into legitimate installers that were digitally signed by Disc Soft Limited, the developer of DAEMON Tools. Trojanized components including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe performed first-stage system reconnaissance. For approximately a dozen high-value targets — primarily in government, manufacturing, retail, and scientific organizations in Russia, Belarus, and Thailand — a second-stage backdoor was deployed, including in some cases the sophisticated QUIC RAT malware. Artifacts point to Chinese-speaking threat actors.

Thousands of infection attempts were detected across over 100 countries. Disc Soft released a clean version (12.6.0.2445) on May 5. Users of affected versions should uninstall, run full system scans, and re-download from the official site.

Source

The Hacker News · Kaspersky · SecurityWeek

Commentary

Supply-chain attacks via signed, official installers remain one of the hardest threats to defend against — if you can’t trust the vendor’s own download page with valid signatures, what can you trust? The selective second-stage deployment is characteristic of sophisticated state-aligned operations: cast a wide net with the initial compromise, then surgically target high-value victims.

While DAEMON Tools may seem like a niche utility in 2026, it’s still widely installed in enterprise environments, particularly in manufacturing and government sectors where optical media emulation remains common. The month-long window of exposure means many organizations may not even realize they’re affected.