Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. DAEMON Tools Lite Supply Chain Attack via Trojanized
DAEMON Tools Lite Supply Chain Attack via Trojanized

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-8398

DAEMON Tools Lite Supply Chain Attack via Trojanized

A supply chain attack compromised official DAEMON Tools Lite installation packages distributed from daemon-tools.cc between April 8 and May 5, 2026,...

Dylan H.

Security Team

May 16, 2026
6 min read

Affected Products

  • DAEMON Tools Lite for Windows 12.5.0.2421 through 12.5.0.2434

Executive Summary

A critical supply chain vulnerability (CVE-2026-8398) was disclosed following the discovery that official installation packages for DAEMON Tools Lite — a widely used virtual disc emulation utility for Windows — were replaced with trojanized builds distributed directly from the legitimate vendor website, daemon-tools.cc.

The attack window ran from approximately April 8, 2026 through May 5, 2026. Affected builds span versions 12.5.0.2421 through 12.5.0.2434. Users who downloaded and installed DAEMON Tools Lite during this period may have been silently compromised with malware. The vulnerability carries a CVSS score of 9.8 (Critical).

Users who installed DAEMON Tools Lite during the affected window should treat their systems as compromised and follow the remediation steps below immediately.


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-8398
CVSS Score9.8 (Critical)
TypeSupply Chain Attack / Trojanized Software
Attack VectorNetwork (official distribution channel)
Privileges RequiredNone (user simply installs software)
User InteractionRequired (download and run installer)
Patch AvailableYes — clean installers available post-May 5, 2026

Affected Versions

SoftwareAffected VersionsExposure WindowFixed
DAEMON Tools Lite (Windows)12.5.0.2421 – 12.5.0.2434~Apr 8 – May 5, 2026Post-May 5 builds

Technical Analysis

Attack Vector

Attackers gained unauthorized access to the vendor's official distribution infrastructure at daemon-tools.cc and replaced the legitimate DAEMON Tools Lite installer packages with malicious versions containing embedded malware. Because the trojanized installers were served from the official website and signed or presented as authentic, users had no reasonable means to detect the substitution during a standard download-and-install workflow.

Infection Chain

1. User navigates to daemon-tools.cc to download DAEMON Tools Lite
2. Server delivers trojanized installer (versions 12.5.0.2421–12.5.0.2434)
3. User executes installer — standard-looking DAEMON Tools UI presented
4. DAEMON Tools installs normally, masking malware payload drop
5. Malware component executes with user or elevated privileges
6. Attacker achieves persistent access to victim system

Why This Is Particularly Dangerous

Software supply chain attacks via official vendor channels are especially effective because:

  • Trust is already established: Users expect official downloads to be clean
  • No phishing or social engineering required: The victim initiates the download themselves
  • Security tools may not flag it: Installers from known legitimate sites are often whitelisted
  • Broad reach: DAEMON Tools Lite is a popular utility with a large install base

Impact Assessment

Impact AreaDescription
Malware InfectionSystems running affected versions may be compromised with attacker-controlled malware
Data ExfiltrationDepending on payload, credentials, files, or keystrokes may have been stolen
Persistent AccessMalware may establish persistence mechanisms that survive reboots
Lateral Movement RiskCompromised endpoints may serve as pivot points into internal networks
Credential TheftBrowser credentials, saved passwords, and tokens may be at risk

Immediate Remediation

Step 1: Identify Affected Installations

Check the installed version of DAEMON Tools Lite:

# PowerShell: check installed version
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*DAEMON*" } | Select-Object Name, Version
 
# Or check via registry
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Where-Object DisplayName -like "*DAEMON*" |
  Select-Object DisplayName, DisplayVersion, InstallDate

If the version is between 12.5.0.2421 and 12.5.0.2434 and was installed between April 8 and May 5, 2026, treat the system as compromised.

Step 2: Remove the Affected Installation

# Uninstall DAEMON Tools Lite via PowerShell
$app = Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*DAEMON Tools Lite*" }
$app.Uninstall()

Or uninstall via Control Panel > Programs > Uninstall a program.

Step 3: Run Full Malware Scan

Use multiple AV/EDR tools as malware signatures may not be immediately available for all solutions:

# Windows Defender full scan
Start-MpScan -ScanType FullScan
 
# Update definitions first
Update-MpSignature

Consider offline scanning with a bootable rescue environment if the system shows signs of deep compromise.

Step 4: Audit for Persistence Mechanisms

# Check startup entries
Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location
 
# Scheduled tasks (look for suspicious entries)
Get-ScheduledTask | Where-Object { $_.TaskPath -notlike "\Microsoft*" } | Select-Object TaskName, TaskPath
 
# Services with unusual paths
Get-Service | ForEach-Object {
  $path = (Get-WmiObject Win32_Service -Filter "Name='$($_.Name)'").PathName
  if ($path -notlike "*System32*" -and $path -notlike "*Program Files*") {
    [PSCustomObject]@{ Name=$_.Name; Path=$path }
  }
}

Step 5: Download a Clean Installer

Obtain a fresh copy from the official vendor site, verifying it was published after May 5, 2026 and the version is 12.5.0.2435 or later.


Detection Indicators

IndicatorDescription
DAEMON Tools version 12.5.0.2421–2434Installer may be trojanized
Suspicious processes spawned by DAEMON Tools installerMalware execution during or after install
New scheduled tasks or services with random namesPersistence mechanisms
Unusual outbound network connections from new processesC2 communication
Unexpected files dropped in temp or AppData directoriesMalware staging

Post-Remediation Checklist

  1. Identify if DAEMON Tools Lite versions 12.5.0.2421–2434 are installed
  2. Uninstall affected versions immediately
  3. Run full AV/EDR scans and remove identified threats
  4. Audit startup items, scheduled tasks, and services for unauthorized persistence
  5. Check network logs for unusual outbound connections during the exposure window
  6. Reset passwords for accounts used on affected systems, especially cloud/SaaS credentials
  7. Review browser saved credentials and rotate any stored secrets
  8. Reinstall from a clean post-May 5, 2026 installer after verifying version number
  9. Monitor affected systems closely for 30 days post-remediation
  10. Notify security teams if evidence of exfiltration or lateral movement is found

References

  • NVD — CVE-2026-8398
  • DAEMON Tools Official Site — daemon-tools.cc

Related Reading

  • Microsoft February 2026 Patch Tuesday Fixes Six Actively
  • CVE-2015-20118: Stored XSS in RealtyScript 4.0.2 Admin
  • CVE-2018-25165: SQL Injection Vulnerability Disclosed in
#CVE-2026-8398#Supply Chain#Windows#DAEMON Tools#Malicious Installer#NVD#Vulnerability

Related Articles

CVE-2018-25427: Arm Whois 3.11 Stack-Based Buffer Overflow RCE

A critical stack-based buffer overflow vulnerability in Arm Whois 3.11 (CVSS 9.8) allows remote attackers to execute arbitrary code by supplying oversized…

4 min read

CVE-2026-14771: SQL Injection in SourceCodester Class and Exam Timetabling System

An unauthenticated remote SQL injection vulnerability in SourceCodester's Class and Exam Timetabling System 1.0 allows attackers to manipulate the id parameter in /edit_exam1.php. No patch is available — apply input sanitization immediately.

3 min read

CVE-2026-4321: Critical SQL Injection in Raera Destekz Plugin (No Patch Available)

A CVSS 9.8 critical SQL injection in the Destekz plugin by Raera - Ankara Web Design allows unauthenticated remote attackers full database access. The...

2 min read
Back to all Security Alerts