DAEMON Tools confirms supply-chain breach and ships a clean replacement

Disc Soft, the company behind DAEMON Tools, has confirmed that attackers tampered with its build environment and pushed trojanized installers for the free version of DAEMON Tools Lite. The company says version 12.6, released on May 5, is clean, while users who downloaded or installed version 12.5.1 since April 8 should uninstall it, run a full antivirus scan, and replace it with the new build.

This is the kind of supply-chain incident that matters because it turns an official download channel into the delivery mechanism. Security teams spend a lot of time teaching users not to install software from sketchy mirrors or random attachments. In this case, the compromised installers were reportedly signed and distributed from the vendor's legitimate site, which collapses one of the most basic trust assumptions in desktop software distribution.

According to Disc Soft's statement and reporting from BleepingComputer, the breach affected certain installation packages inside the company's infrastructure rather than every DAEMON Tools product. The company says paid versions of DAEMON Tools Lite, plus DAEMON Tools Ultra and DAEMON Tools Pro, were not impacted. The exposed window still matters, though. Researchers at Kaspersky said the malicious installers had been available since April 8 and were used to infect systems across more than 100 countries.

The malware chain appears to have been selective rather than noisy. Kaspersky said the first stage collected host details for profiling, including running processes, installed software, locale, and network identifiers. Some systems then received a second-stage backdoor capable of executing commands, downloading files, and running code in memory. In at least one case, researchers observed deployment of QUIC RAT, which gives attackers a more durable foothold than a simple one-shot infostealer.

That makes this more than a cleanup note from a software vendor. Once a signed installer from a familiar utility gets weaponized, the downstream problem becomes endpoint investigation. Organizations now need to treat any affected DAEMON Tools Lite installation as a potential intrusion, not just a bad download. That means checking for persistence, outbound connections, follow-on payloads, and any lateral movement that may have happened after the initial install.

Disc Soft says it has secured the affected infrastructure, but the company has not yet explained how attackers got in or how many downloads were affected. That leaves defenders with an uncomfortable but familiar gap. The product is available again in a clean version, but incident responders still have to assume there was enough time for real compromise in the field, especially on unmanaged or lightly monitored endpoints.

The practical response is straightforward. Identify any DAEMON Tools Lite free installations added or updated since April 8, remove the compromised build, scan those systems, and review endpoint telemetry for secondary payload activity. For software vendors, the broader lesson is just as important. Code-signing and official distribution are not enough if the build pipeline itself can be altered upstream. As BleepingComputer first reported, this incident is another reminder that build-system security is now product security.