Full Report
Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version. [...]
Analysis Summary
# Incident Report: DAEMON Tools Lite Supply Chain Attack
## Executive Summary
Disc Soft Limited, the developer of DAEMON Tools Lite, confirmed a supply chain attack in which its build environment was compromised to distribute trojanized software. Between April 8 and May 5, 2026, the free version of DAEMON Tools Lite (v12.5.1) delivered a multi-stage backdoor and information stealer to thousands of users globally. The incident was mitigated with the release of a clean version (v12.6) and the securing of the company's infrastructure.
## Incident Details
- **Discovery Date:** Early May 2026 (Publicly disclosed by Kaspersky on May 5, 2026)
- **Incident Date:** April 8, 2026 – May 5, 2026
- **Affected Organization:** Disc Soft Limited
- **Sector:** Software Development / Utilities
- **Geography:** Global impact (Primary victims in Russia, Belarus, Thailand, Brazil, Turkey, and EU)
## Timeline of Events
### Initial Access
- **Date/Time:** April 8, 2026
- **Vector:** Build Environment Compromise (Supply Chain)
- **Details:** Attackers gained "unauthorized interference" within Disc Soft's infrastructure, allowing them to inject malicious code into the build process for DAEMON Tools Lite.
### Lateral Movement
- **Details:** Information not formally disclosed; however, attackers successfully moved from their entry point to the production build environment and code-signing infrastructure.
### Data Exfiltration/Impact
- **Details:** Thousands of systems were backdoored. Initial payloads exfiltrated system metadata (hostname, MAC address, processes, locale) for victim profiling. High-value targets received a second-stage backdoor and, in some cases, the "QUIC RAT."
### Detection & Response
- **How it was discovered:** Identified by Kaspersky researchers and subsequent internal investigation by Disc Soft.
- **Response actions taken:** Disc Soft secured its infrastructure, pulled the compromised version, issued a public warning within the software UI, and released a malware-free version (12.6.0.2445).
## Attack Methodology
- **Initial Access:** Supply chain compromise via build environment.
- **Persistence:** Malicious code in the installer setup a backdoor to activate on system startup.
- **Defense Evasion:** Use of legitimate digital signatures on trojanized binaries and execution of second-stage code directly in memory.
- **Discovery:** First-stage malware performed host profiling (processes, software, network info).
- **Lateral Movement:** Not applicable to the vendor; within victim networks, used backdoor commands for further access.
- **Collection:** System metadata and victim profiling data.
- **Exfiltration:** Data sent to attacker-controlled C2 servers.
- **Impact:** Unauthorized remote access and potential for further malware deployment (QUIC RAT).
## Impact Assessment
- **Financial:** Significant costs associated with incident response, infrastructure remediation, and potential loss of premium conversions.
- **Data Breach:** System profiling data of thousands of users; potential deep compromise of government and scientific organizations.
- **Operational:** Disruption of the software release cycle and emergency infrastructure lockdown.
- **Reputational:** High; a popular utility was used as a vector for state-level or advanced cyber-espionage.
## Indicators of Compromise
- **Network indicators:** C2 communication protocols including QUIC (UDP/443). [Domains/IPs not specified in original text - would be defanged as hxxp[://]example[.]com].
- **File indicators:**
- DAEMON Tools Lite Versions: 12.5.0.2421 through 12.5.0.2434.
- Clean Version: 12.6.0.2445.
- **Behavioral indicators:** Unexpected outbound traffic from `DTLite.exe`; memory-only code execution; new startup entries.
## Response Actions
- **Containment:** Removal of version 12.6 (trojanized) from official download mirrors.
- **Eradication:** Infrastructure hardening and "securing of internal systems" by Disc Soft.
- **Recovery:** Release of version 12.6; implementation of an in-app warning for users on the compromised version to upgrade.
## Lessons Learned
- **Key takeaways:** Even digitally signed software from reputable vendors can be compromised at the source.
- **Code Signing Security:** Relying solely on digital signatures is insufficient if the signing environment itself is breached.
- **Build Integrity:** Automated integrity checks for binaries before public release are critical.
## Recommendations
- **For Organizations:** Implement application allowlisting and monitor for unusual behavior from "trusted" signed utilities.
- **For Developers:** Implement "Hardened Build Pipelines" with multi-factor authentication, air-gapped signing servers, and binary reproducible builds to detect unauthorized code injection.
- **For Users:** Always update to the latest version immediately when a security advisory is issued and perform full antivirus scans if a supply chain alert is confirmed.