Disc Soft Limited, the developer behind the widely-used DAEMON Tools Lite virtual drive software, has confirmed that their software distribution was compromised in a supply chain attack that resulted in trojanized versions of DAEMON Tools being distributed to users. The company has released a clean, malware-free version and is urging all users to update immediately.
The disclosure was reported by BleepingComputer, which has been tracking an increase in supply chain attacks targeting popular software utilities distributed through official developer channels.
What Is DAEMON Tools?
DAEMON Tools Lite is a virtual drive and disc image mounting application with a long history of use among Windows users. The software allows users to mount ISO, MDS, MDX, and other disc image formats as virtual CD/DVD/Blu-ray drives without physical media. It has been a staple utility for software developers, gamers, and IT professionals for over two decades.
The software's broad install base — spanning millions of users globally — makes it an attractive target for threat actors seeking to achieve mass distribution of malware through a trusted, legitimate software channel.
The Supply Chain Attack
Disc Soft Limited confirmed that attackers compromised the software's build pipeline or distribution infrastructure, resulting in a version of DAEMON Tools Lite being signed with a legitimate certificate and distributed through official channels but containing embedded malware. This type of attack is particularly dangerous because:
- The software is digitally signed, bypassing many security checks that flag unsigned executables
- Users downloading from the official site have no reason to suspect the file is malicious
- Antivirus products that rely on reputation scoring may not flag a known-good signed binary
- Existing installations may auto-update to the compromised version
The exact malware payload has not been publicly detailed at the time of writing, but supply chain attacks of this nature typically deliver information stealers, remote access trojans (RATs), or cryptocurrency miners — chosen for their ability to operate silently while monetizing the compromised host.
Timeline and Scope
Disc Soft Limited has confirmed the breach but has not yet disclosed the full timeline of how long the trojanized version was in distribution, how many users downloaded it, or the full nature of the malicious payload. The company has stated that:
- The compromise has been contained
- A clean, malware-free version has been released
- Users who downloaded DAEMON Tools Lite during the affected period are urged to update immediately
The specific version numbers affected and the precise dates of the compromise window have not been publicly confirmed at the time of reporting.
Recommendations for Affected Users
Immediate Steps
If you have DAEMON Tools Lite installed, take the following steps regardless of whether you believe your version was affected:
- Update to the latest clean version immediately from the official Disc Soft website
- Run a full antivirus/EDR scan of your system to detect and remove any malicious components that may have been installed
- Review recently installed programs — check for any software installed around the time of the DAEMON Tools update that you did not intentionally install
- Check browser credentials — information stealers commonly target saved browser passwords; consider rotating passwords for important accounts
- Monitor for suspicious network activity — outbound connections to unusual endpoints may indicate malware still communicating with command-and-control infrastructure
For IT and Security Teams
If DAEMON Tools Lite is deployed in enterprise environments:
- Query your endpoint management platform for DAEMON Tools
installations and identify the installed version on each host
- If compromised versions are identified, isolate affected hosts
and begin incident response procedures
- Review EDR telemetry around the time of the DAEMON Tools update
for process injection, credential access, or data staging activity
- Check outbound network logs for connections to known malware C2
infrastructure from hosts with DAEMON Tools installed
- Rotate credentials for any accounts used on potentially
compromised hostsSupply Chain Attack Context
The DAEMON Tools compromise is part of a broader trend of supply chain attacks targeting developer tools, utilities, and open-source packages. Recent notable incidents include:
| Incident | Vector | Impact |
|---|---|---|
| Trivy GitHub Actions compromise | CI/CD pipeline | 75 tags hijacked, infostealer pushed |
| Axios npm supply chain attack | Maintainer social engineering | JavaScript RAT distributed |
| PyPI malicious packages | Fake packages | Credential theft |
| VS Code extension hijacks | Extension marketplace | Developer machine compromise |
The common thread is attackers targeting the trust relationship between software developers and their users. When a legitimate, signed binary from a known developer is trojanized, the social and technical barriers that typically protect users are removed.
How to Verify the Clean Version
When downloading the updated DAEMON Tools Lite:
- Download only from the official Disc Soft website — do not use third-party download sites or mirrors
- Verify the digital signature of the downloaded executable before running it:
- Right-click the installer → Properties → Digital Signatures tab
- Confirm the signer is "Disc Soft Limited" with a valid, trusted certificate chain
- Compare the file hash against any official hash published by Disc Soft in their security advisory
- Scan with multiple antivirus engines before installation — submitting to VirusTotal is a quick additional check