DAEMON Tools (Disc Soft) — trojanised signed installers

On 5 May 2026 Kaspersky published research showing that official installers for DAEMON Tools Lite distributed from the vendor’s own website had been trojanised between 8 April and the release of a clean version 12.6 on the same day. Affected installer versions span 12.5.0.2421 through 12.5.0.2434 and were signed with valid digital certificates belonging to DAEMON Tools’ developer, Disc Soft.

The attackers modified three components — DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe — to deliver a backdoor capable of arbitrary command execution and remote control of the infected host. Kaspersky telemetry placed infection attempts in over 100 countries, with several thousand observed and second-stage payloads delivered to roughly a dozen targets. Government and scientific-research entities feature among the targets that received further-stage payloads, suggesting selective exploitation rather than mass deployment.

The compromise sits within a clear 2026 thread of signed-installer supply-chain attacks: eScan in January, Notepad++ in February, CPUID in April and DAEMON Tools in May. Attribution has not been published. The compromise vector — whether the build pipeline, the signing infrastructure or the website’s hosting environment — has not been disclosed in primary detail, and Disc Soft has not issued a public technical post-mortem at the time of writing.

A deep-dive will follow once attribution lands, the compromise vector is documented, and any second-stage payload analysis is published. The early defender lens is signature-trust: when a code-signing certificate is itself the attacker’s tool, allowlist-based trust collapses, and the durable controls become runtime behaviour analytics, network-egress segmentation, and treating any signed binary’s outbound connection profile as the integrity anchor rather than the signature itself.