DAEMON Tools Devs Confirm Breach, Release Malware-Free Version

DAEMON Tools Breach: Supply-Chain Attack and Malware-Free Version Released

OverviewDisc Soft Limited, the company behind DAEMON Tools Lite, disclosed a supply-chain incident in which a trojanized installer was distributed through official channels. The breach led to the release of a clean, malware-free version (12.6) while other DAEMON Tools products were not affected. The company asserted that its infrastructure has been secured and that the compromised installation packages were subsequently removed from distribution.

Incident Details

• Discovery: An internal investigation identified unauthorized interference within Disc Soft’s infrastructure that caused some installation packages to be released in a compromised state.
• Immediate action: A malware-free version (12.6) of DAEMON Tools Lite was released on May 5, addressing the affected build.
• Affected products: Only DAEMON Tools Lite was implicated in this incident. Paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro were reported as unaffected.
• Current status: The trojanized installer was removed, and users were prompted to install the latest 12.6 release from the official site. The compromised version is no longer supported.

What Was Compromised and How It Worked

• Initial compromise: The attack involved tainted installation packages embedded within the build environment, which were signed and distributed as legitimate software.
• First-stage payload: After execution, the trojanized installer deployed a basic information-stealer. It collected machine data such as hostname, MAC address, running processes, installed software, and system locale, and exfiltrated these details to attacker-controlled servers.
• Second-stage payload: Some infected machines received a lighter backdoor capable of executing commands, downloading files, and running code directly in memory.
• Additional tool observed: In at least one observed case, a QUIC RAT variant was deployed, enabling process injection and multi-protocol communication.
• Early victims: The attack affected users worldwide who downloaded from the official site since April 8, including retail, scientific, government, and manufacturing sectors, with notable activity in Russia, Belarus, and Thailand, and compromised machines across several other countries.

Timeline of Key Events

• April 8: Infected installers began circulating through the official DAEMON Tools download channel.
• April–May: The trojanized versions (12.5.0.2421 to 12.5.0.2434) were in use by unsuspecting users who installed the software.
• May 5: Release of DAEMON Tools Lite 12.6, a version confirmed not to contain the compromised files.
• May 6: Public disclosures and investigations into the breach continued, with security firms (e.g., Kaspersky) providing analysis and updates.

Affected Versions and Scope

• Trojanized range: Installers from 12.5.0.2421 through 12.5.0.2434 were identified as tainted prior to the release of the clean version.
• Clean version: 12.6.0 (the malware-free release) and later builds were designed to exclude the compromised components.
• Geography and sectors: The attack impacted users across multiple regions, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, China, and others, spanning retail, scientific, government, and manufacturing domains.

Vendor Response and Security Community Findings

• Vendor statement: Disc Soft confirmed unauthorized interference within its infrastructure and the release of compromised installation packages. They stated that the 12.6 release does not contain the suspected files and that the incident is under investigation, with the attack vector not yet disclosed.
• Third-party analysis: Independent researchers and cybersecurity firms documented the trojanized installers and the subsequent backdoors. Kaspersky highlighted the distribution of tainted DAEMON Tools Lite installers and the evolution of payloads to establish persistence and enable backdoor activity.
• Current security posture: The trojanized build has been removed from distribution, and security teams continue monitoring for any residual or related threats in the wild.

Current Status and Next Steps for Users (Contextual Summary)

• What users should know: The official 12.6.0 release represents the malware-free version intended to replace the compromised build. Other DAEMON Tools products remain unaffected according to initial disclosures.
• What has changed: The vendor has addressed the issue by removing the tainted build and issuing an updated, clean release. Security researchers have noted that the malicious behavior is no longer present in the updated version.
• Ongoing uncertainty: While the vendor has secured its infrastructure and issued a remediation, the full attack vector and attributions have not been publicly disclosed, and investigations may continue.

Contextual Takeaways

• Supply-chain risks: This incident underscores how trusted software channels can be exploited to deploy backdoors, making supply-chain integrity a critical focus for software vendors and users alike.
• Layered threats: The progression from information-stealer to backdoor and the potential use of multi-protocol RATs demonstrates the need for comprehensive threat modeling and monitoring beyond initial malware presence.
• Industry collaboration: The incident illustrates how vendors and independent researchers collaboratively identify, analyze, and respond to exploit campaigns, helping to mitigate broader impact and improve secure software practices.