CVE-2026-8398: A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions...
A supply chain attack compromised the official installation packages of DAEMON Tools Lite (Windows versions 12.5.0.2421 through 12.5.0.2434), distributed from the legitimate website daemon-tools.cc between approximately April 8, 2026, and May 5, 2026. Attackers gained unauthorized access to the vendor's (AVB Disc Soft) build or distribution infrastructure and trojanized three binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files were digitally signed with the legitimate AVB Disc Soft code-signing certificate, allowing the malicious installers to appear trustworthy and bypass signature-based detection.
Security readout for executives and security teams
Plain-English summary
This is a high-urgency supply-chain compromise of DAEMON Tools Lite for Windows. Users who downloaded official installers during the stated window may have installed malicious, vendor-signed binaries. Because the files used a legitimate certificate, normal trust prompts and signature checks could have looked clean.
Executive priority
Treat this as an incident-scoping priority, not routine patching. The business risk is trusted software distributing malicious signed code, which can bypass normal user and security assumptions. Prioritize identifying exposed endpoints and containment decisions.
Technical view
Attackers reportedly compromised AVB Disc Soft build or distribution infrastructure and trojanized DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434. The issue maps to CWE-506 and carries CVSS 3.1 9.8 with high confidentiality, integrity, and availability impact.
Likely exposure
Exposure is most likely on Windows endpoints that installed DAEMON Tools Lite from daemon-tools.cc between approximately April 8, 2026 and May 5, 2026. Software inventory, download history, EDR telemetry, and installed binary versions are the most relevant scoping sources.
Exploitation context
CISA KEV listing supports known exploitation. Securelist describes the supply-chain attack as ongoing since April 8, 2026. The provided bundle does not include exploit mechanics, targeting details, or a complete remediation timeline.
Researcher notes
The source bundle provides strong evidence of supply-chain compromise, affected installer window, trojanized filenames, legitimate signing, CVSS, and KEV status. It does not provide full indicators, exploit details, or definitive cleanup steps, so validation should stay tied to vendor and CISA updates.
Mitigation direction
Identify endpoints with DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434.
Stop using installers downloaded during the April 8 to May 5, 2026 window.
Follow AVB Disc Soft vendor guidance for cleanup, replacement installers, and certificate status.
Quarantine or rebuild systems where trojanized binaries are confirmed.
Rotate credentials used on affected systems if compromise is suspected.
Validation and detection
Inventory installed DAEMON Tools Lite versions across Windows endpoints.
Check endpoint telemetry for DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe anomalies.
Review download and installation timestamps against the exposure window.
Confirm whether binaries were sourced from daemon-tools.cc during the affected period.
Track CISA KEV and vendor advisory updates for revised scope or remediation.
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-506: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-506 · source CWE mapping
Embedded Malicious Code
Embedded Malicious Code represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.