DAEMON Tools Lite Supply Chain Attack: Malware-Free Version Released

Disc Soft Limited, the vendor behind the popular disc‑imaging utility DAEMON Tools Lite, acknowledged on March 8 2026 that a malicious update had been pushed through its official download servers, trojanising the software’s installer. The compromise was first flagged by the threat‑intelligence team at Eclypsium, which spotted an anomalous DLL being delivered alongside the legitimate DaemonTools.exe binary. Disc Soft confirmed the incident, stating that an estimated 1.2 million users had fetched the tainted installer before the malicious payload was identified.

Technical analysis shows that the attack inserted a dropper component, internally tagged ‘DL Loader’ by the researchers, which subsequently deployed a variant of the Mokes backdoor (Win32/Backdoor.Mokes.H). The malware communicated with a command‑and‑control (C2) server hosted on a domain that had been registered just days before the release, and it harvested system information, network credentials, and keyboard input. The malicious DLL was signed with a stolen but still‑valid code‑signing certificate, allowing it to pass the operating system’s driver‑verification checks and evade basic heuristic scans.

Upon disclosure, Disc Soft acted quickly, pulling the compromised installer from its website and issuing version 10.13.0.0605, which contains only the clean, original code base and an updated digital signature. The company urged all users of the prior build (10.13.0.0604) to uninstall immediately, verify the SHA‑256 hash of the new binary against the posted value (e.g., sha256: 8f3c … c7a1), and reset any credentials that may have been entered while the compromised software was running. Antivirus vendors have updated their detection signatures to flag the dropper and its C2 traffic.

The DAEMON Tools incident underscores the growing risk of supply‑chain attacks that target software distribution channels. Security experts recommend that organizations implement continuous monitoring of software binaries, enforce strict code‑signing validation, and maintain a software‑bill‑of‑materials (SBOM) to quickly spot unauthorized components. While Disc Soft’s prompt response limited the blast radius, the episode serves as a reminder that even mature, widely‑used applications can become vectors for advanced malware if their update pipelines are not adequately guarded.