Skip to content
Tech News
← Back to articles

DAEMON Tools devs confirm breach, release malware-free version

2026-05-06 | original
read original get DAEMON Tools Lite → more articles
Why This Matters

The breach of DAEMON Tools Lite highlights the ongoing risks in software supply chains, emphasizing the importance of vigilant security practices for both developers and consumers. The incident underscores the need for timely updates and cautious software management to prevent malware infections. As cyber threats evolve, such incidents serve as a reminder for the industry to strengthen security measures across the software development lifecycle.

Key Takeaways

Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version.

In a statement published earlier today, Disc Soft says it has secured its infrastructure. Still, it has yet to attribute the attack to a specific threat actor or share additional information about the breach, including the attack vector used to access its systems, as it continues to investigate the incident.

"Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5." the company said.

"Users of other DAEMON Tools products, including paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro are not affected by this incident and can continue using their software as usual."

Users who downloaded or installed DAEMON Tools Lite version 12.5.1 (free) since April 8 are advised to uninstall the app, run a full system scan using security or antivirus software, and install the latest version of DAEMON Tools Lite (12.6) from the official website.

Disc Soft has removed the trojanized version, which is no longer supported, and now displays a warning prompting users to install the latest version of DAEMON Tools Lite.

DAEMON Tools Lite 12.5.1 warning (Will Dormann)

As cybersecurity company Kaspersky revealed on Tuesday, hackers trojanized DAEMON Tools Lite installers and used them to backdoor thousands of systems from more than 100 countries that downloaded the software from the official website since April 8.

After the unsuspecting users executed the digitally signed trojanized installers (versions ranging from 12.5.0.2421 to 12.5.0.2434), the malicious code embedded in the compromised binaries deployed a payload designed to establish persistence and activate a backdoor on system startup.

The first-stage malware dropped in the attack was a basic information stealer that collected system data (including hostname, MAC address, running processes, installed software, and system locale) and sent it to attacker-controlled servers for victim profiling. Based on the results, some of the infected systems received a second stage, a lightweight backdoor that can execute commands, download files, and run code directly in memory.

... continue reading

Explore topics: daemon tools disc soft supply chain attack malware removal version 12.6
Related:
Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack
DAEMON Tools trojanized in supply-chain attack to deploy backdoor
Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in ‘widespread’ attack
Shai-Hulud Themed Malware Found in the PyTorch Lightning AI Training Library
Dependency cooldowns turn you into a free-rider

© 2026 GoKawiil

About | Editorial Policy | Contact