Disc Soft has confirmed a supply chain attack that compromised its Daemon Tools Lite software, releasing a clean version within 12 hours of notification. The company released version 12.6 on May 5 after discovering that threat actors had injected malware into version 12.5.1 through unauthorized access to its build infrastructure. The compromised version has been removed from distribution and is no longer supported.
Kaspersky researchers first detected the Trojanized installers being distributed from the official Daemon Tools website starting April 8. The security firm observed several thousand infection attempts across more than 100 countries in its telemetry data. While the initial compromise affected a broad user base, the attackers deployed second-stage payloads to only about a dozen carefully selected targets, indicating a focused operation rather than indiscriminate malware distribution.
The targeted victims included organizations in retail, scientific research, government, and manufacturing sectors. In at least one confirmed case, an educational institution in Russia was infected with Quic RAT, a remote access trojan capable of injecting malicious payloads into legitimate Windows processes like notepad.exe and conhost.exe. Most affected users were located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. The ultimate objective of the campaign remains unclear, though Kaspersky suggested possibilities ranging from cyber-espionage to financially motivated attacks.
Disc Soft stated it has contained the incident after conducting an internal investigation that revealed unauthorized interference within its infrastructure. The company isolated affected systems, removed all compromised files from distribution, audited its entire build and release pipeline, rebuilt installation packages, and strengthened security controls and monitoring systems. All currently available versions have been verified for integrity and safety.
Organizations and individuals who downloaded Daemon Tools Lite version 12.5.1 should take immediate action. Disc Soft recommends uninstalling the application, performing a comprehensive system scan with trusted security software, and downloading the latest version directly from the official website. Kaspersky advises organizations to examine any machines that had Daemon Tools installed since April 8 for abnormal activities, given the sophisticated nature of the attack and the potential for persistent access.
Source: https://www.infosecurity-magazine.com/news/daemon-tools-confirms-software/