Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DAEMON Tools Lite trojanized installer wave

Exploitation Wave
First reported
Last updated
Happening score
H score 30
2 unique sources, 2 articles

Summary

Hide ▲

Trojanized DAEMON Tools Lite installers backdoored thousands of systems in more than 100 countries, turning a trusted download path into a broad infection wave. The compromised installer line affected downloads from the official website since April 8 and was later replaced with a clean Version 12.6. The wave mattered because the malicious code established persistence, enabled a startup backdoor, and in some cases deployed a second-stage QUIC RAT payload.

Related Happenings

Daemon Tools Lite trojanized installer campaign

Campaign
First: 07.05.2026 12:30 Last: 07.05.2026 12:30 Sources 1

How related: “Starting from early April, we observed several thousands of infection attempts involving Daemon Tools in our telemetry, with individuals and organizations in more than 100 countries being affected,” the cybersecurity firm explained.

About this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...

Open Happening

DAEMON Tools trojanized-installer stealer and backdoor activity

Malware Activity
First: 05.05.2026 22:21 Last: 05.05.2026 22:21 Sources 1

About this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...

Open Happening

AVB Disc Soft hit by network compromise

Incident
First: 05.05.2026 19:07 Last: 05.05.2026 19:07 Sources 1

How related: Following an internal investigation, we identified unauthorized interference within our infrastructure. As a result, certain installation packages were impacted within our build environment and were released in a compromised state. Version 12.6 of DAEMON Tools Lite, which does not contain the suspected compromised files, was released on May 5.

About this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...

Latest development: 07.05.2026 12:30

Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.

Open Happening

QUIC RAT delivered through compromised DAEMON Tools installers

Malware Activity
First: 05.05.2026 19:07 Last: 05.05.2026 19:07 Sources 1

How related: In at least one case, Kaspersky observed the deployment of a QUIC RAT malware, which can inject malicious code into legitimate processes and supports multiple communication protocols.

About this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...

Latest development: 07.05.2026 12:30

Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.

Open Happening

Dragon Boss Solutions LLC adware malicious update

Malware Activity
First: 16.04.2026 22:07 Last: 16.04.2026 22:07 Sources 1

About this happening: A **March 22, 2025** malicious update turned **Dragon Boss Solutions LLC** adware into an **AV-disabling** payload, exposing nearly **24,000 systems** to follow-on abuse. The upda...

Open Happening

Timeline

  1. 06.05.2026 19:43 1 articles · 21d ago

    Trojanized DAEMON Tools Lite installers begin backdooring users

    Exploitation Observed

    Trojanized DAEMON Tools Lite installers distributed from the official website began reaching users since April 8, and execution of the digitally signed packages deployed persistence on system startup, host profiling, and in some cases a second-stage backdoor or QUIC RAT.

    Show sources
    Open in new tab
  2. 06.05.2026 19:43 2 articles · 21d ago

    Disc Soft releases clean DAEMON Tools Lite 12.6

    Mitigation Patch Update

    Disc Soft released DAEMON Tools Lite 12.6 on May 5 after removing compromised installation packages from its build environment, and advised users of the free DAEMON Tools Lite version 12.5.1 installed since April 8 to uninstall the app, run a full system scan, and install the latest build from the official website.

    Show sources
    Open in new tab
  3. 06.05.2026 19:43 1 articles · 21d ago

    Disc Soft confirms free DAEMON Tools Lite compromise

    Initial Disclosure

    On May 6, Disc Soft Limited confirmed a supply chain attack against the free DAEMON Tools Lite version, said unauthorized interference affected installation packages in its build environment, and stated that DAEMON Tools Pro and DAEMON Tools Ultra were not affected, while Kaspersky said the trojanized installers had backdoored thousands of systems in more than 100 countries.

    Show sources
    Open in new tab