Overview
- Kaspersky disclosed the compromise Tuesday, saying DAEMON Tools Lite installers from the official site were trojanized starting April 8 and that the campaign was still active this week.
- Disc Soft said attackers interfered with its build environment, removed the bad downloads, and published DAEMON Tools Lite 12.6 as a clean release while stating paid editions were not affected.
- The company advises users who installed free Lite 12.5 builds since April 8 to uninstall them, run a full antivirus scan, and then install version 12.6 from the official site.
- Telemetry showed several thousand attempts to push follow-on payloads in roughly 100 countries, but only about a dozen organizational systems in Russia, Belarus, and Thailand received a second-stage backdoor, with QUIC RAT observed once at a Russian educational institution.
- Three signed binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) loaded an info-gatherer and a lightweight backdoor from a look-alike domain, and researchers say artifacts point to a Chinese-language actor as part of a broader 2026 trend of trusted installer compromises including Notepad++, CPUID, and eScan.