Malware & Threats Vendor Says Daemon Tools Supply Chain Attack Contained The software developer has identified the impacted systems, removed potentially compromised files, and validated installation packages. By Ionut Arghire | May 7, 2026 (9:21 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Daemon Tools developer Disc Soft has confirmed falling victim to an intrusion that led to a targeted supply chain attack. The incident came to light earlier this week, when Kaspersky warned that thousands of computers might have been infected with malware after downloading trojanized versions of Daemon Tools from the official website. According to Kaspersky, Chinese-speaking threat actors injected Daemon Tools iterations released between April 8 and May 5 with code designed to download and execute an information collector. Out of thousands of infected machines, the attackers then selected roughly a dozen to infect with a backdoor, and targeted a Russian educational institution with a second, more complex backdoor as well. The initial backdoor, Kaspersky says, was deployed on systems of government, scientific, manufacturing, and retail organizations in Belarus, Russia, and Thailand. On Wednesday, Disc Soft confirmed that hackers compromised certain installation packages, but said that the impact was limited to the free version of Daemon Tools Lite. Advertisement. Scroll to continue reading. After learning of the issue, the company isolated and secured the affected systems, removed potentially compromised files from distribution, rebuilt and validated installation packages, and made a clean iteration of Daemon Tools Lite, namely version 12.6.0.2445, available on May 5. “Our investigation is ongoing as we continue to analyze the root cause and full scope of the incident. At this stage, we are not attributing the incident to any specific third party. We are carefully reviewing all components of our infrastructure to ensure a complete and accurate understanding of what occurred,” the company said. Disc Soft says only Daemon Tools Lite version 12.5.1 was compromised, the issue has been contained, and no other products, such as Daemon Tools Ultra and Daemon Tools Pro, have been affected. Users who downloaded the trojanized software release, however, need to clean their systems too. For that, they should uninstall Daemon Tools Lite and scan the machine for malware. “We are also enhancing our verification procedures to further reduce the risk of similar incidents in the future,” Disc Soft said. Related: Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Related: SAP NPM Packages Targeted in Supply Chain Attack Related: Checkmarx Confirms Data Stolen in Supply Chain Attack Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Sophisticated Quasar Linux RAT Targets Software Developers Government, Scientific Entities Hit via Daemon Tools Supply Chain Attack Oracle Debuts Monthly Critical Security Patch Updates Critical Bug Could Expose 300,000 Ollama Deployments to Information Theft Critical, High-Severity Vulnerabilities Patched in Apache MINA, HTTP Server Karakurt Ransomware Negotiator Sentenced to Prison MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs DigiCert Revokes Certificates After Support Portal Hack Latest News AI Coding Agents Could Fuel Next Supply Chain Crisis Webinar Today: Securing Identity Across Humans, Machines and AI Cisco Patches High-Severity Vulnerabilities in Enterprise Products Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion Autonomous Offensive Security Firm XBOW Raises $35 Million Herd Security Raises $3 Million for AI-Powered Training Platform Iranian APT Intrusion Masquerades as Chaos Ransomware Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Remedio has appointed of Cynthia Stanton as Chief Marketing Officer. Jacki Monson has joined CVS Health as SVP, Deputy CISO. Gigi Schumm has been promoted to Chief Revenue Officer at Securonix. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email