critical
DAEMON Tools Lite CVE-2026-8398: Signed Installer Supply-Chain Compromise
CISA added DAEMON Tools Lite CVE-2026-8398 to KEV after the vendor confirmed unauthorized interference in its infrastructure and compromised DAEMON Tools Lite installation packages.
On this page 0% read
Executive Summary
CISA added CVE-2026-8398 to KEV on 2026-05-27, describing an embedded malicious-code vulnerability in DAEMON Tools Lite [Source 1]. Disc Soft’s incident notice says unauthorized interference in its infrastructure caused some installation packages to be released in a compromised state, and that DAEMON Tools Lite 12.6.0.2445 replaced the affected build [Source 2].
Kaspersky’s research reported a signed-installer supply-chain attack affecting DAEMON Tools Lite versions in the 12.5.0.2421 through 12.5.0.2434 range, with malicious code in DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe [Source 3]. Treat installs of the affected free Lite version during the April-May 2026 window as endpoint compromise leads until local evidence proves otherwise.
Key Facts
event_id: "daemon-tools-lite-cve-2026-8398-supply-chain"
cve: "CVE-2026-8398"
vendor: "Disc Soft / DAEMON Tools"
product: "DAEMON Tools Lite"
kev_added: "2026-05-27"
kev_due: "2026-05-30"
affected_versions_reported:
- "12.5.0.2421 through 12.5.0.2434"
- "DAEMON Tools Lite 12.5.1 free, per vendor user guidance"
clean_version: "12.6.0.2445"
trojanized_binaries:
- "DTHelper.exe"
- "DiscSoftBusServiceLite.exe"
- "DTShellHlp.exe"Source Confidence & Evidence Mapping
- confirmed: CISA lists CVE-2026-8398 in KEV with active exploitation evidence and a 2026-05-30 due date [Source 1].
- confirmed: The vendor states unauthorized interference affected its infrastructure and that certain installation packages were released compromised [Source 2].
- confirmed: The vendor says DAEMON Tools Lite 12.6.0.2445 no longer exhibits the incident behavior and that affected 12.5.1 free users should uninstall, scan, and install 12.6 [Source 2].
- reported by primary research: Kaspersky identifies the affected 12.5.0.2421-12.5.0.2434 range and three modified signed binaries [Source 3].
- unclear: Public sources do not provide a full build-system root cause or complete victim list.
Impact Determination
| Classification | Criteria | Required evidence | Handling decision |
|---|---|---|---|
| Confirmed compromise | A host installed or executed an affected DAEMON Tools Lite build and malicious binary/process/network evidence is present. | Installed version, file inventory, process telemetry, persistence evidence, EDR detections, network logs, and user timeline. | Isolate host, preserve disk and memory where possible, remove affected software, run full malware response, and reset credentials used on the host. |
| Presumed exposed | A host installed DAEMON Tools Lite 12.5.1 free or a 12.5.0.2421-12.5.0.2434 build during the affected period but runtime telemetry is incomplete. | Software inventory, installer cache, download logs, browser history, package hash, or vendor path evidence. | Treat as exposed and perform endpoint triage before returning host to normal use. |
| Potentially exposed | DAEMON Tools Lite is present but version and install date are unavailable. | Registry uninstall keys, EDR inventory, file metadata, prefetch, AmCache/ShimCache, installer cache, and proxy logs. | Reconstruct version and execution timeline. |
| Not exposed | No DAEMON Tools Lite install, or only verified 12.6.0.2445+ from official sources after the vendor cleanup. | Negative inventory and file evidence, or clean-version proof. | Preserve evidence and block affected installers in software controls. |
Timeline
- 2026-04-08: Kaspersky reported the malicious DAEMON Tools distribution activity began around this date [Source 3].
- 2026-05-05: DAEMON Tools Lite 12.6.0.2445 was released as a clean replacement, according to the vendor [Source 2].
- 2026-05-06: Disc Soft published its incident notice [Source 2].
- 2026-05-27: CISA added CVE-2026-8398 to KEV [Source 1].
Detection and Hunting
Script: local repository and exported telemetry scope
#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path
ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-daemon-tools-lite-cve-2026-8398-supply-chain-scope"))
SINCE = "2026-05-31T00:00:00Z"
UNTIL = "2026-05-31T23:59:59Z"
PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
]
URLS = [
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]
# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.
OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"
# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
for val in group:
if val:
indicators.add(val)
with open(indicators_file, "w") as f:
for ind in sorted(indicators):
f.write(ind + "\n")
print(f"[+] Written unique selectors to {indicators_file}")
# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
dirs[:] = [d for d in dirs if d not in exclude_dirs]
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if matches:
(OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
print(f"[!] Found {len(matches)} matches in codebase!")
# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
log_matches = []
for root, _, filenames in os.walk(LOG_ROOT):
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
log_matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if log_matches:
(OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
print(f"[!] Found {len(log_matches)} matches in logs!")
if PACKAGES:
registry_dir = OUT / "registry"
registry_dir.mkdir(exist_ok=True)
print(f"[+] Wrote scope artifacts under {OUT}")Remediation
Uninstall affected DAEMON Tools Lite builds, install only the verified 12.6 or later official build if the tool is still required, and run a full endpoint scan as the vendor recommends [Source 2]. For enterprise response, also collect persistence artifacts, process execution history, browser/download history, proxy logs, and credentials used on the host during the affected period.
Closure requires a clean software inventory, no affected binaries remaining on disk, endpoint scan or EDR review evidence, and a decision on whether local credentials need rotation based on what the host could access.
Machine-Readable Event Profile
{
"event_id": "daemon-tools-lite-cve-2026-8398-supply-chain",
"cve": "CVE-2026-8398",
"kev_added": "2026-05-27",
"vendor": "Disc Soft / DAEMON Tools",
"product": "DAEMON Tools Lite",
"affected_versions": ["12.5.0.2421", "12.5.0.2434", "12.5.1"],
"clean_version": "12.6.0.2445",
"file_selectors": ["DTHelper.exe", "DiscSoftBusServiceLite.exe", "DTShellHlp.exe"],
"source_urls": [
"https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.json",
"https://blog.daemon-tools.cc/post/security-incident",
"https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/",
"https://nvd.nist.gov/vuln/detail/CVE-2026-8398"
]
}