Vendor Says Daemon Tools Supply Chain Attack Contained

Daemon Tools developer Disc Soft has confirmed falling victim to an intrusion that led to a targeted supply chain attack.

The incident came to light earlier this week, when Kaspersky warned that thousands of computers might have been infected with malware after downloading trojanized versions of Daemon Tools from the official website.

According to Kaspersky, Chinese-speaking threat actors injected Daemon Tools iterations released between April 8 and May 5 with code designed to download and execute an information collector.

Out of thousands of infected machines, the attackers then selected roughly a dozen to infect with a backdoor, and targeted a Russian educational institution with a second, more complex backdoor as well.

The initial backdoor, Kaspersky says, was deployed on systems of government, scientific, manufacturing, and retail organizations in Belarus, Russia, and Thailand.

On Wednesday, Disc Soft confirmed that hackers compromised certain installation packages, but said that the impact was limited to the free version of Daemon Tools Lite.

After learning of the issue, the company isolated and secured the affected systems, removed potentially compromised files from distribution, rebuilt and validated installation packages, and made a clean iteration of Daemon Tools Lite, namely version 12.6.0.2445, available on May 5.

“Our investigation is ongoing as we continue to analyze the root cause and full scope of the incident. At this stage, we are not attributing the incident to any specific third party. We are carefully reviewing all components of our infrastructure to ensure a complete and accurate understanding of what occurred,” the company said.

Disc Soft says only Daemon Tools Lite version 12.5.1 was compromised, the issue has been contained, and no other products, such as Daemon Tools Ultra and Daemon Tools Pro, have been affected.

Users who downloaded the trojanized software release, however, need to clean their systems too. For that, they should uninstall Daemon Tools Lite and scan the machine for malware.

“We are also enhancing our verification procedures to further reduce the risk of similar incidents in the future,” Disc Soft said.

Related: Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack

Related: SAP NPM Packages Targeted in Supply Chain Attack

Related: Checkmarx Confirms Data Stolen in Supply Chain Attack

Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks