DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
A DAEMON Tools supply-chain compromise is delivering trojanized installers that install a backdoor and steal system data from downloaded systems. The activity has run since April 8 and remains ongoing, affecting thousands of systems in more than 100 countries. Only a dozen machines received second-stage payloads, which points to selective targeting of higher-value victims. Observed later-stage infections include organizations in Russia, Belarus, and Thailand.
Related Happenings
Daemon Tools Lite trojanized installer campaign
Campaign
First: 07.05.2026 12:30
Last: 07.05.2026 12:30
Sources 1
About this happening:
A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
Daemon Tools Lite trojanized installer campaign
CampaignAbout this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
DAEMON Tools Lite trojanized installer wave
Exploitation Wave
First: 06.05.2026 19:43
Last: 06.05.2026 19:43
Sources 1
About this happening:
Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools Lite trojanized installer wave
Exploitation WaveAbout this happening: Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware ActivityAbout this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
Latest development: 07.05.2026 12:30
Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
AVB Disc Soft hit by network compromise
Incident
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
**DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
AVB Disc Soft hit by network compromise
IncidentAbout this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
Latest development: 07.05.2026 12:30
Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.
Dragon Boss Solutions LLC adware malicious update
Malware Activity
First: 16.04.2026 22:07
Last: 16.04.2026 22:07
Sources 1
About this happening:
A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Dragon Boss Solutions LLC adware malicious update
Malware ActivityAbout this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...
Timeline
-
05.05.2026 22:21 1 articles · 21d ago
Trojanized DAEMON Tools installers begin staged infections
Campaign Scope UpdateTrojanized DAEMON Tools installers distributed from the official website begin delivering a backdoor on systems that download the product on or after April 8, causing thousands of infections in more than 100 countries. Only a dozen machines receive second-stage payloads, including at least one Russian educational institute, and later-stage victims include retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.
Show sources
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor — www.bleepingcomputer.com — 05.05.2026 22:21
-
05.05.2026 22:21 2 articles · 21d ago
Kaspersky discloses an ongoing DAEMON Tools supply-chain compromise
Initial DisclosureAn ongoing supply-chain compromise of DAEMON Tools installers is identified on May 5, 2026, with affected versions 12.5.0.2421 through 12.5.0.2434 and compromised DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries. The first-stage malware profiles hosts by collecting system data, and strings in the payload suggest a Chinese-speaking attacker.
Show sources
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor — www.bleepingcomputer.com — 05.05.2026 22:21
- DAEMON Tools trojanized in supply-chain attack to deploy backdoor — www.bleepingcomputer.com — 05.05.2026 22:21