CVE-2026-8398

What is DAEMON Tools Lite?

DAEMON Tools Lite is a widely-used virtual drive and disc image mounting utility developed by AVB Disc Soft (disc-soft.com). It allows users to mount ISO, MDF, NRG, and other disc image formats as virtual DVD/CD/Blu-ray drives, and is popular among gamers, software developers, and IT administrators worldwide. The free tier has an install base of millions of users globally.

Overview

CVE-2026-8398 is a supply-chain attack in which AVB Disc Soft's build or distribution infrastructure was compromised, allowing attackers to trojanize the official DAEMON Tools Lite installer with signed malicious binaries. The corrupted installer was distributed from the official disc-soft.com download page between April 8 and May 5, 2026 — a 27-day window during which victims received and installed the backdoored software. Kaspersky discovered thousands of infection attempts globally and notified the vendor on May 5. CISA added the CVE to the KEV catalog on May 27, 2026.

Affected Versions

Technical Details

Attackers gained unauthorized access to AVB Disc Soft's build or distribution infrastructure and replaced three binaries inside the official installer:

• DTHelper.exe
• DiscSoftBusServiceLite.exe
• DTShellHlp.exe

All three were signed with AVB Disc Soft's legitimate code-signing certificate, bypassing signature-based antivirus and endpoint detection entirely.

Infection chain:

1. At startup, the compromised binaries sent GET requests to an attacker-controlled C2 domain (typosquatted to resemble a legitimate software update server).
2. The C2 returned cmd.exe/PowerShell commands to download envchk.exe, a .NET-based host profiler.
3. envchk.exe collected MAC address, hostname, DNS domain, running processes, installed software, and system locale, then sent the profile to the C2.
4. Operators reviewed profiles and selectively deployed second-stage payloads only to high-value targets:
   • A minimalistic backdoor supporting command execution, file downloads, and shellcode injection
   • On at least one confirmed target: a full-featured QUIC RAT supporting HTTP, UDP, TCP, WSS, QUIC, and DNS protocol channels

The selective deployment approach — profiling thousands of victims but backdooring only approximately 12 — indicates a sophisticated threat actor prioritizing operational security over scale. Chinese-language artifacts were found in the malware code; no definitive APT group attribution has been made publicly.

Discovery

Kaspersky identified the compromise in early May 2026 after observing thousands of infection attempts across 100+ countries. The vendor (AVB Disc Soft) confirmed the breach and released clean version 12.6.0.2445 on May 5–6, 2026, approximately 27 days after the trojanized installers first appeared.

Exploitation Context

Thousands of confirmed infection attempts across 100+ countries, concentrated in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Approximately 12 machines received second-stage selective backdoor deployment. The attack ran undetected for approximately 27 days (April 8 – May 5, 2026), with victims unknowingly installing the backdoored application from the official vendor website.

Remediation

1. Check installed version — if DAEMON Tools Lite 12.5.0.2421 through 12.5.0.2434 is installed, treat the machine as compromised.
2. Update to 12.6.0.2445 or later — download only from the official disc-soft.com site; verify the installer hash against the vendor's posted values before running.
3. Scan for indicators of compromise:
   • Unusual outbound network connections from DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe to non-disc-soft.com domains
   • Presence of envchk.exe in temp directories or unexpected locations
   • PowerShell or cmd.exe processes spawned as children of the above binaries in Windows Event Logs
4. Isolate affected machines — if second-stage backdoor deployment is suspected, disconnect from the network and perform a full forensic investigation before remediation.
5. Rotate credentials accessible from any machine running affected versions between April 8 – May 5, 2026.
6. For federal agencies: the May 30, 2026 CISA deadline has passed — remediate immediately.