DAEMON Tools Lite breach prompts urgent update after malware-laced installer

Disc Soft says the compromised DAEMON Tools Lite installer has been removed and replaced with a clean version.

DAEMON Tools Lite installers tampered with

Disc Soft Limited has confirmed that DAEMON Tools Lite was hit by a supply chain attack that let attackers tamper with installation packages released through the software’s own distribution channel. The company said it found unauthorized interference in its infrastructure and some packages were released in a compromised state.

The incident affected the free DAEMON Tools Lite 12.5.1 release, while Disc Soft says DAEMON Tools Pro, DAEMON Tools Ultra and paid versions were not affected. A new build, DAEMON Tools Lite 12.6.0.2445, was released on May 5—a version that “does not contain the suspected compromised files,” according to a company advisory.

Backdoor reached users in over 100 countries

Security researchers said the campaign began on April 8 and involved digitally signed Windows installers served from the official DAEMON Tools website. The tampered versions reportedly included components such as DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe.

The first-stage malware collected system details, including hostnames, MAC addresses, running processes, installed programs and locale information. Some victims received a second-stage backdoor capable of executing commands, downloading files and running code in memory. In at least one observed case, attackers deployed QUIC RAT.

Users should remove 12.5.1 and scan system

Anyone who installed the free DAEMON Tools Lite 12.5.1 version during the affected period should uninstall it, run a full antivirus scan and download version 12.6 from the official website. Organizations should also review systems for suspicious activity dating back to April 8.

For scenarios like these, a reputable security suite can help catch leftover malware, suspicious behavior or credential-related risks after the fact. Bitdefender Ultimate Security is the right fit for this kind of cleanup and follow-up protection, combining anti-malware defenses with privacy tools, a password manager, scam protection, breach notifications and digital identity protection.