DAEMON Tools Lite Supply Chain Attack Vulnerability

A supply chain attack has compromised the official installation packages of DAEMON Tools Lite for Windows, specifically versions 12.5.0.2421 to 12.5.0.2434. These packages were distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. During this period, attackers gained unauthorized access to the vendor's build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These malicious binaries were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing them to bypass signature-based detection and appear trustworthy.

Impact

The compromised installers, once executed, activate a backdoor that communicates with a malicious server, allowing attackers to execute commands and download additional payloads. This backdoor was used to deploy various malicious tools, including a data collector and a more complex remote access trojan, QUIC RAT, which was observed targeting a specific organization in Russia.

Remediation

Users are advised to uninstall DAEMON Tools Lite version 12.5.1 (free) and run a full system scan with trusted security software. The latest version of DAEMON Tools Lite (12.6) can be downloaded from the official website. For those using other DAEMON Tools products, including paid versions of DAEMON Tools Lite, DAEMON Tools Ultra, and DAEMON Tools Pro, no action is needed as these products are not affected by the incident.