Overview
- Kaspersky disclosed Tuesday that trojanized DAEMON Tools Lite installers signed with AVB Disc Soft certificates had been live since April 8.
- Disc Soft confirmed the compromise and released DAEMON Tools Lite 12.6.0.2445, telling users of the free 12.5.1 build to uninstall and install the new version from the official site.
- The company says the incident was limited to the free Lite edition, and that DAEMON Tools Pro and DAEMON Tools Ultra were not affected.
- Malicious installers for versions 12.5.0.2421–12.5.0.2434 tampered with DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe to run at startup and contact env-check.daemontools.cc, which in select cases delivered a backdoor and the QUIC RAT.
- Kaspersky telemetry shows thousands of infections across more than 100 countries but only about a dozen backdoor deployments to organizations in Russia, Belarus, and Thailand, reflecting a broader 2026 trend of attackers abusing trusted software updates.