Vendor Says Daemon Tools Supply Chain Attack Contained

Summary

Disc Soft confirmed that its Daemon Tools Lite installation packages were compromised by Chinese-speaking threat actors between April 8 and May 5, injecting malware designed to collect information and deploy backdoors. Thousands of systems were infected; attackers selectively deployed a second backdoor targeting a Russian educational institution and other government, scientific, manufacturing, and retail organizations in Belarus, Russia, and Thailand. The vendor has isolated affected systems, removed compromised files, released a clean version (12.6.0.2445), and advised users to uninstall and scan for malware.

Full text

Daemon Tools developer Disc Soft has confirmed falling victim to an intrusion that led to a targeted supply chain attack. The incident came to light earlier this week, when Kaspersky warned that thousands of computers might have been infected with malware after downloading trojanized versions of Daemon Tools from the official website. According to Kaspersky, Chinese-speaking threat actors injected Daemon Tools iterations released between April 8 and May 5 with code designed to download and execute an information collector. Out of thousands of infected machines, the attackers then selected roughly a dozen to infect with a backdoor, and targeted a Russian educational institution with a second, more complex backdoor as well. The initial backdoor, Kaspersky says, was deployed on systems of government, scientific, manufacturing, and retail organizations in Belarus, Russia, and Thailand. On Wednesday, Disc Soft confirmed that hackers compromised certain installation packages, but said that the impact was limited to the free version of Daemon Tools Lite.Advertisement. Scroll to continue reading. After learning of the issue, the company isolated and secured the affected systems, removed potentially compromised files from distribution, rebuilt and validated installation packages, and made a clean iteration of Daemon Tools Lite, namely version 12.6.0.2445, available on May 5. “Our investigation is ongoing as we continue to analyze the root cause and full scope of the incident. At this stage, we are not attributing the incident to any specific third party. We are carefully reviewing all components of our infrastructure to ensure a complete and accurate understanding of what occurred,” the company said. Disc Soft says only Daemon Tools Lite version 12.5.1 was compromised, the issue has been contained, and no other products, such as Daemon Tools Ultra and Daemon Tools Pro, have been affected. Users who downloaded the trojanized software release, however, need to clean their systems too. For that, they should uninstall Daemon Tools Lite and scan the machine for malware. “We are also enhancing our verification procedures to further reduce the risk of similar incidents in the future,” Disc Soft said. Related: Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Related: SAP NPM Packages Targeted in Supply Chain Attack Related: Checkmarx Confirms Data Stolen in Supply Chain Attack Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Iranian APT Intrusion Masquerades as Chaos Ransomware AttackSophisticated Quasar Linux RAT Targets Software DevelopersGovernment, Scientific Entities Hit via Daemon Tools Supply Chain AttackOracle Debuts Monthly Critical Security Patch UpdatesCritical Bug Could Expose 300,000 Ollama Deployments to Information TheftCritical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP ServerKarakurt Ransomware Negotiator Sentenced to PrisonMetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs Latest News Attackers Could Exploit AI Vision Models Using Imperceptible Image ChangesAI Coding Agents Could Fuel Next Supply Chain CrisisWebinar Today: Securing Identity Across Humans, Machines and AICisco Patches High-Severity Vulnerabilities in Enterprise ProductsGemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain AttackClaude AI Guided Hackers Toward OT Assets During Water Utility IntrusionAutonomous Offensive Security Firm XBOW Raises $35 MillionHerd Security Raises $3 Million for AI-Powered Training Platform Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveRemedio has appointed of Cynthia Stanton as Chief Marketing Officer.Jacki Monson has joined CVS Health as SVP, Deputy CISO.Gigi Schumm has been promoted to Chief Revenue Officer at Securonix.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Daemon Tools Lite v12.5.1 (trojanized)
• malware — Information collector
• malware — Backdoor (unnamed)

Entities