Daemon Tools Lite: Infected installers due to supply chain attack
Officially signed Daemon Tools installers from the manufacturer's website contain malware. Apparently through a supply chain attack.
(Image: Balefire / Shutterstock.com)
Anyone who downloaded Daemon Tools Lite from the manufacturer's website since April 8 has loaded malware onto their computer. The installers are signed with official digital certificates and appear inconspicuous at first. Apparently, it is a supply chain attack.
The virus analysts from Kaspersky came across the infected installers. In their investigation, they state that the installers have been trojanized since April 8, 2026 – and this continues to the current downloads. The IT researchers discovered this at the beginning of May and were then able to identify the older infected installers. The affected versions are therefore Daemon Tools and Daemon Tools Lite from version 12.5.0.2421 up to 12.5.0.2434. An analysis of version 12.5.0.233b of the Lite installer on VirusTotal confirms the infection of the files currently downloadable from the official Daemon Tools website with a heuristic detection by Kaspersky (HEUR:Trojan.Win64.Agent.gen) (Warning, still trojanized downloads at the time of reporting!). Kaspersky has contacted the manufacturer of Daemon Tools, AVB Disc Soft, but apparently unsuccessfully so far.
Based on the malware analysis, the IT researchers classify the attackers as Chinese-speaking. The telemetry from Kaspersky sensors indicates that individuals and organizations from more than 100 countries have installed the software for handling disk images like ISO images in an infected version. However, only a dozen of all affected machines have downloaded further malware stages. These belonged to the retail, science, government, and manufacturing industries. This is an indication of targeted attacks. The victims come from Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
Further details
Interested parties can find more in-depth details about malware and infected files in the Kaspersky analysis. The malware collects information, including hardware data such as MAC addresses or information about running processes and installed software. It also includes a minimalist backdoor. Finally, Kaspersky lists a long list of indicators of compromise (IOC).
Videos by heise
Recently, there has been an increase in attacks where malicious actors inject malicious code into otherwise trustworthy software. At the end of last year, the powerful text editor Notepad++ was impacted. The website CPUID, which hosts the popular tools CPU-Z and HWMonitor, also distributed malware in mid-April.
(dmk)
