**Supply Chain Attack on DAEMON Tools Lite** **Disc Soft Limited**, the maker of **DAEMON Tools Lite**, has confirmed that the software was trojanized in a supply chain attack. A new, malware-free version has been released to address the issue. "Within less than 12 hours of identifying the issue, we were able to implement a solution. Based on our current findings, the issue was limited to the free **DAEMON Tools Lite** version and did not affect any of our other products," **Disc Soft** told BleepingComputer. "We have not identified evidence supporting claims that all **DAEMON Tools** users were impacted, and at this stage, we are not in a position to confirm any impact on paid versions customers. Our current analysis indicates that **DAEMON Tools Pro** and **DAEMON Tools Ultra** were not affected and absolutely safe." **Infrastructure Secured, Investigation Ongoing** In a separate statement, **Disc Soft** stated they have secured their infrastructure. However, the company has not yet attributed the attack to a specific threat actor or shared details about the breach, including the attack vector used to access their systems, as the investigation continues. "Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of **DAEMON Tools Lite**, which does not contain the suspected compromised files, was released on May 5," the company said. "Users of other **DAEMON Tools** products, including paid versions of **DAEMON Tools Lite**, **DAEMON Tools Ultra**, and **DAEMON Tools Pro** are not affected by this incident and can continue using their software as usual." **Affected Users and Remediation** Users who downloaded or installed **DAEMON Tools Lite** version 12.5.1 (free) since April 8 are advised to uninstall the app, run a full system scan using security or antivirus software, and install the latest version of **DAEMON Tools Lite** (12.6) from the official website. **Disc Soft** has removed the trojanized version, which is no longer supported, and now displays a warning prompting users to install the latest version of **DAEMON Tools Lite**. **Kaspersky's Discovery** As **Kaspersky** revealed, hackers trojanized **DAEMON Tools Lite** installers and used them to backdoor thousands of systems from over 100 countries. This occurred after users downloaded the software from the official website since April 8. After unsuspecting users executed the digitally signed trojanized installers (versions ranging from 12.5.0.2421 to 12.5.0.2434), malicious code embedded in the compromised binaries deployed a payload. This payload was designed to establish persistence and activate a backdoor on system startup. **Malware Payload and Data Exfiltration** The first-stage malware dropped in the attack was a basic information stealer. It collected system data (including hostname, MAC address, running processes, installed software, and system locale) and sent it to attacker-controlled servers for victim profiling. Based on these profiles, some infected systems received a second stage: a lightweight backdoor capable of executing commands, downloading files, and running code directly in memory. In at least one instance, **Kaspersky** observed the deployment of a **QUIC RAT** malware, capable of injecting malicious code into legitimate processes and supporting multiple communication protocols. **Victim Demographics** During the investigation, **Kaspersky** found that retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand, as well as home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China, were among the victims whose devices were infected with malicious payloads. **Updated Version Released** In an update to their original report, **Kaspersky** confirmed that **DAEMON Tools Lite** 12.6.0, released recently, no longer exhibits malicious behavior. "Following disclosure, the vendor acknowledged the issue and published a new version of the software to address it," **Kaspersky** said. "The updated **DAEMON Tools** version 12.6.0.2445 no longer shows the malicious behavior."  ## [99% of What Mythos Found Is Still Unpatched.](https://hubs.li/Q04crVgD0) AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. [Claim Your Spot](https://hubs.li/Q04crVgD0)