Disc Soft Limited confirmed on May 7, 2026, that attackers breached its build environment in a software supply-chain attack, distributing trojanized versions of the DAEMON Tools Lite installer from the official company website for 27 days before a clean version was released, with Kaspersky researchers documenting infection attempts across more than 100 countries.
DAEMON Tools Lite Versions 12.5.0.2421 Through 12.5.0.2434 Delivered a Staged Malicious Payload
Affected versions of DAEMON Tools Lite — the free edition, spanning build numbers 12.5.0.2421 through 12.5.0.2434 — were distributed via the official download portal from April 8, 2026. Disc Soft released clean version 12.6.0 on May 5, 2026, a 27-day window during which users who downloaded the software from the vendor’s own infrastructure received malware. Paid editions of DAEMON Tools were not affected.
Kaspersky researchers described the malicious component as a three-stage payload designed to operate selectively, deploying advanced capabilities only to targets the attackers identified as high value based on initial reconnaissance data.
The first stage deployed an information stealer across all infected hosts, collecting hostname, MAC address, list of running processes, and installed software inventory. This reconnaissance layer gave operators a profile of each compromised machine and enabled triage decisions about which hosts warranted additional attention.
Second-Stage Backdoor and the Selective Deployment of QUIC RAT to Targeted Victims
Hosts that cleared the attacker’s selection criteria received a second-stage lightweight backdoor capable of executing commands and downloading additional files. This persistent access mechanism gave operators an interactive foothold on selected systems without introducing the more detectable signature of a full remote access trojan.
A smaller subset of specifically chosen victims received a third payload: QUIC RAT, a remote access trojan communicating over the QUIC protocol with support for code injection and multi-protocol communication. Kaspersky determined that the QUIC RAT was deployed to approximately 12 targeted hosts — a fraction of the thousands of systems that received the first-stage infostealer — reflecting a deliberate targeting strategy that prioritized operational security and precision over mass exploitation. Sectors represented among the QUIC RAT recipients included retail, government, scientific research, and manufacturing.
Geographic Spread: Infection Attempts Recorded in Over 100 Countries
Kaspersky’s telemetry identified infection attempts across thousands of systems in more than 100 countries. The global reach reflects the international user base of DAEMON Tools Lite, a widely used disc image and virtual drive application distributed through the vendor’s own website and reviewed by third-party download aggregators. Because the trojanized installers were served directly from the official Disc Soft infrastructure, any detection heuristic based on source legitimacy — using only official vendor downloads — provided no protection.
Disc Soft Response and Ongoing Attribution Investigation
Disc Soft released DAEMON Tools Lite version 12.6.0 on May 5, 2026, three days before the breach was publicly confirmed on May 7. The company recommended that all users of affected versions 12.5.0.2421 through 12.5.0.2434 uninstall the compromised software, install the clean release, and conduct full system scans. Attribution for the build environment compromise remains under active investigation; no threat group has been publicly identified as responsible.
The three-stage payload design carries a specific forensic implication for affected users: systems that received only the first-stage infostealer may show no obvious signs of compromise — no persistent backdoor, no anomalous outbound connections, no QUIC RAT activity — yet have already transmitted sensitive reconnaissance data to the attacker. Users of affected versions who have not been contacted by Disc Soft should not infer from the absence of obvious symptoms that their systems were not profiled.
The DAEMON Tools incident joins a series of supply-chain attacks targeting software build and distribution infrastructure, including the SolarWinds breach, the 3CX supply-chain compromise, and recent incidents involving ASUS and CCleaner. The recurring pattern indicates that vendors’ own distribution infrastructure is a sustained target for attackers seeking to reach the end-user base of trusted software products — a vector that bypasses user-facing security guidance to use only official sources.
