Attackers trojanized three DAEMON Tools Lite binaries — DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe — in versions 12.5.0.2421 through 12.5.0.2434. The C2 domain was registered March 27; poisoned installers began distributing April 8 and remained live until a patched release (12.6.0.2445) shipped May 5. DAEMON Tools Pro and Ultra were not affected. Kaspersky identified indicators consistent with a Chinese-speaking threat actor; confirmed victims include roughly a dozen hosts across Russia, Belarus, and Thailand spanning retail, scientific, government, and manufacturing sectors. The payload is a QUIC-based RAT backdoor. Any developer or CI/CD pipeline that installed or automated updates of DAEMON Tools Lite during the April 8–May 5 window should treat affected hosts as compromised. Remediation steps are to uninstall all affected Lite versions, run a full endpoint scan, and update to 12.6.0.2445. Organizations using virtual drive tooling in build pipelines should audit installer provenance and consider hash-pinning or signed-artifact verification for future updates.