Overview
- Disc Soft said Wednesday it rebuilt its pipeline and pushed DAEMON Tools Lite 12.6.0.2445 on Tuesday after confirming trojanized installers, and it said the impact was limited to the free Lite 12.5.1 line.
- Researchers at Kaspersky reported Tuesday that installers signed with AVB Disc Soft certificates had been tampered with since April 8, covering versions 12.5.0.2421 through 12.5.0.2434.
- The tampered apps ran at startup and called a look‑alike domain, env-check.daemontools.cc, to fetch commands that pulled a .NET info‑collector and a small loader.
- Kaspersky telemetry shows several thousand first‑stage infections in more than 100 countries, yet only about a dozen organizational systems in Russia, Belarus, and Thailand received a follow‑on backdoor, with one QUIC RAT case at a Russian school.
- Attribution remains unconfirmed, though Chinese‑language strings appear in artifacts, and users who installed DAEMON Tools since April 8 are urged to uninstall the affected builds, scan their PCs, and move to the cleaned release in a year marked by multiple signed‑software supply‑chain hits.