Daemon Tools Lite 12.5.1 Trojanized With Quic RAT in Build Pipeline Attack

Disc Soft, developer of the widely used Daemon Tools Lite disk image management software, has confirmed its build infrastructure was compromised between April 8 and early May 2026. Installation packages for version 12.5.1 were silently modified to deliver a RAT (Remote Access Trojan — malware that gives an attacker persistent, covert remote control over an infected system). Kaspersky detected thousands of infection attempts across more than 100 countries before Disc Soft released a clean replacement on May 5, 2026. Approximately a dozen organizations received further-stage payloads beyond the initial trojan.

What Happened: A Build Pipeline Compromise

Disc Soft's official statement confirms "unauthorized interference within our infrastructure," specifying that "certain installation packages were impacted within our build environment." This is a software supply chain attack — specifically, a build pipeline compromise, where an attacker infiltrates the vendor's software build or distribution infrastructure and injects malicious code into otherwise legitimate installers that are then digitally signed, hosted, and distributed through official channels.

This attack model is particularly dangerous because standard security defenses fail against it:

• The malicious installer originates from the vendor's official website, with a valid publisher certificate
• Checking the download URL or verifying the digital signature provides no protection — the signature covers the compromised file
• The malware executes immediately upon installation, before behavioral security tools may flag the new software
• Users and security teams have no reason to suspect an installation from a known, trusted vendor

Daemon Tools Lite is a long-established Windows utility (available since 2000) for mounting disk images in formats including ISO, MDF, and BIN. It is used by both home users and enterprise IT departments for software deployment, application packaging, and media management. The software has millions of users globally across consumer and business environments.

The Payload: Quic RAT

The malware injected into the compromised Daemon Tools Lite installers is identified as Quic RAT — a Remote Access Trojan that communicates over the QUIC protocol (Quick UDP Internet Connections — a modern transport-layer protocol developed by Google and standardized by the IETF, designed for low-latency, encrypted connections using UDP rather than TCP).

QUIC-based C2 communications are notable from a security operations perspective because:

• QUIC operates over UDP rather than TCP, and many network security tools and firewalls apply less inspection to UDP traffic than to TCP
• QUIC connections are encrypted by default (using TLS 1.3 semantics), blocking payload inspection even where UDP inspection is in place
• QUIC connections typically occur on UDP port 443, the same port used by legitimate HTTPS traffic on some configurations, further reducing visibility

On infected systems, Quic RAT was observed performing process injection — specifically injecting payloads into notepad.exe and conhost.exe, two standard Windows processes. Process injection (MITRE ATT&CK T1055 — Process Injection) executes malicious code inside the memory space of a legitimate, trusted Windows process, hiding it from process-listing tools that only check executable file paths and making behavioral detection significantly harder.

Scale and Targeting

Kaspersky detected thousands of infection attempts across more than 100 countries — the global reach is consistent with the worldwide distribution of Daemon Tools Lite's user base. Of those thousands of initial infections, only approximately a dozen organizations received a further-stage payload beyond the initial Quic RAT installation.

This selective escalation — deploying additional payloads to roughly a dozen high-value targets while leaving the remaining thousands at the RAT stage — is a behavioral indicator characteristic of a targeted intelligence-gathering operation rather than broad commodity cybercrime. Ransomware operators, for example, typically deploy encryption payloads as broadly as possible to maximize ransom potential. Selectively escalating against a small subset of victims suggests the attacker was culling the Daemon Tools user base for organizations of specific value.

The dozen organizations receiving further-stage payloads operated in four sectors: retail, scientific research, government, and manufacturing. This cross-sector targeting profile does not cleanly fit a single nation-state motivation but is consistent with either an APT (Advanced Persistent Threat — a sophisticated, often state-sponsored threat actor conducting long-term intrusion campaigns) focused on intelligence collection, or an initial-access broker building a portfolio of high-value accesses for resale.

Affected Versions

The compromised version is specifically Daemon Tools Lite 12.5.1. Malicious installation packages were distributed from April 8, 2026 through early May 2026 via the official Daemon Tools website.

Disc Soft released version 12.6.0.2445 on May 5, 2026, which is clean and has been verified not to contain the Quic RAT payload.

Affected if: You installed or updated Daemon Tools Lite to version 12.5.1 between April 8 and May 5, 2026.

What You Should Do Right Now

• Uninstall Daemon Tools Lite version 12.5.1 immediately. Use Windows Settings > Apps & Features (or Control Panel > Programs) to remove the affected version.

• Download and install version 12.6.0.2445 from the official Daemon Tools website at https://www.daemon-tools.cc. Verify you are downloading from the correct domain before running the installer.

• Run a full endpoint security scan immediately after removing 12.5.1. Kaspersky (which discovered this campaign), Microsoft Defender, and major EDR (Endpoint Detection and Response) platforms have or will shortly have detection signatures for Quic RAT.

• Hunt for process injection artifacts. Use Process Explorer (Microsoft Sysinternals) or your EDR platform's process telemetry to inspect memory maps in notepad.exe and conhost.exe processes for unexpected injected regions.

• Monitor for QUIC traffic on UDP 443. If your firewall or network monitoring platform logs UDP 443 traffic, filter for outbound connections from unexpected processes or hosts. Quic RAT C2 activity would appear as encrypted UDP 443 sessions initiated from non-browser processes.

• For organizations: Pull endpoint management records (SCCM, Intune, or equivalent) to identify all hosts that installed Daemon Tools Lite 12.5.1 during the April 8–May 5 window. Prioritize forensic investigation of those systems, especially if they fall in the retail, scientific, government, or manufacturing sectors that received further-stage payloads.

# Check installed Daemon Tools version via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Daemon Tools*" } | Select Name, Version

# Look for process injection in notepad/conhost (requires admin)
Get-Process notepad, conhost | ForEach-Object {
    Write-Host "PID: $($_.Id) - $($_.Name)"
}

Background: The Software Supply Chain Attack Pattern

Software supply chain attacks via compromised build pipelines represent one of the most impactful classes of intrusion in the modern threat landscape. The pattern achieved widespread awareness with the SolarWinds breach in 2020, where attackers inserted the SUNBURST backdoor into SolarWinds Orion software updates, ultimately reaching approximately 18,000 organizations including major U.S. government agencies.

Subsequent notable incidents include:

• 3CX supply chain attack (2023): North Korea's Lazarus Group compromised the 3CX desktop application installer to deliver a stealer targeting cryptocurrency and financial firms
• XZ Utils backdoor (2024): A multi-year social engineering campaign inserted a backdoor into a widely deployed Linux compression library, narrowly contained before mass distribution
• PyTorch supply chain attack (2022): A dependency confusion attack injected a malicious version of torchtriton that harvested environment variables and SSH keys

The Daemon Tools incident follows this established pattern but stands out for the selective escalation behavior. Unlike SolarWinds (where SUNBURST was deployed broadly to all affected customers) and 3CX (where all users received the stealer), the Daemon Tools attacker deliberately chose to escalate against only approximately a dozen high-value targets. This operational restraint suggests either resource constraints that prevented broad follow-on activity, or — more likely — a deliberate decision to minimize detection risk by limiting the number of systems where deeper compromise artifacts would be visible.

Conclusion

If you installed Daemon Tools Lite 12.5.1 between April 8 and May 5, 2026, treat the affected system as compromised. Uninstall the software immediately, run updated security scans, and upgrade to version 12.6.0.2445. Organizations in the targeted sectors — government, scientific research, retail, and manufacturing — should prioritize forensic investigation of any exposed systems before conducting remediation.