DAEMON Tools Lite ships clean build after supply chain trojan hits free installer

Disc Soft confirmed its build environment was compromised, resulting in trojanized DAEMON Tools Lite (free) installers distributed from the official site between April 8 and early May. Version 12.6 has been released without the malicious files, and the company says paid tiers — DAEMON Tools Pro, Ultra, and paid Lite — were untouched. Attribution and the initial access vector remain undisclosed pending investigation.

Kaspersky, which surfaced the campaign, traced infections across more than 100 countries via digitally signed installers (12.5.0.2421–12.5.0.2434). The first-stage payload profiled hosts (hostname, MAC, processes, installed software, locale) and selectively dropped a second-stage backdoor capable of in-memory execution and file download; at least one case escalated to QUIC RAT with process injection. Victims included retail, government, scientific, and manufacturing orgs in Russia, Belarus, and Thailand, plus home users across Europe, Latin America, and Asia.

Users who installed the free Lite build since April 8 should uninstall, run a full AV scan, and pull 12.6.0.2445 from the vendor. The incident is another reminder that signed binaries from a legitimate vendor’s own pipeline remain a high-trust delivery channel — and a high-value target for build-system intrusions.