The web site for the favored JDownloader obtain supervisor was compromised earlier this week to distribute malicious Home windows and Linux installers, with the Home windows payload discovered deploying a Python-based distant entry trojan.
The availability chain assault impacts those that downloaded installers from the official web site between Might 6 and Might 7, 2026 by way of the Home windows “Obtain Different Installer” hyperlinks or the Linux shell installer.
In line with the builders, the attackers modified the web site’s obtain hyperlinks to level to malicious third-party payloads reasonably than reliable installers.
JDownloader is a extensively used free obtain administration utility that helps automated downloads from file-hosting companies, video websites, and premium hyperlink mills. The software program has been accessible for greater than a decade and is utilized by hundreds of thousands worldwide throughout Home windows, Linux, and macOS.
The JDownloader provide chain assault
The compromise was first reported on Reddit by a person named “PrinceOfNightSky,” who seen that downloaded installers had been being flagged by Microsoft Defender.
“I been utilizing Jdownloader and switched to a brand new PC a couple of weeks in the past. Fortunately I had the installer in a usb drive however determined to obtain the most recent model,” posted PrinceOfNightSky to Reddit.
“The web site is official however all of the Exes for home windows are being reported as malicious software program by home windows and the developer is being listed as ‘Zipline LLC.’ And different instances it is saying ‘The Water Group’ The software program is clearly by Appwork and I’ve to manually unblock it from home windows to run it which I cannot do.”
The JDownloader builders later confirmed that the positioning had been compromised and took the web site offline to research the incident.
In an incident report, the devs stated their web site was compromised by attackers exploiting an unpatched vulnerability that allowed them to alter web site entry management lists and content material with out authentication.
“Modifications had been made by the web site’s content material administration system, affecting printed pages and hyperlinks,” reads the incident report.
“The attacker didn’t achieve entry to the underlying server stack — specifically no entry to the host filesystem or broader operating-system-level management past CMS-managed net content material.”
The builders said that the compromise affected solely the choice Home windows installer obtain hyperlinks and the Linux shell installer hyperlink. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the principle JDownloader JAR bundle weren’t modified.
The builders additionally stated that customers can affirm if an installer is reliable by right-clicking the file, deciding on Properties, after which clicking the Digital Signatures tab.
If Digital Signatures reveals it was signed by “AppWork GmbH,” then it’s reliable. Nevertheless, if the file will not be signed or is by a unique identify, it needs to be averted.
Supply: BleepingComputer
The JDownloader staff stated that analyzing the malicious payloads was “out of our scope,” however shared an archive of the malicious installers in order that others may analyze them.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Home windows executables and shared indicators of compromise (IOCs) for the malware.
In line with Klemenc, the malware acts as a loader that deploys a closely obfuscated Python-based RAT.
Klemenc stated the Python payload acts as a modular bot and RAT framework, permitting attackers to execute Python code delivered from the command and management (C2) servers.
The researcher additionally shared two command and management servers utilized by the malware:
https://parkspringshotel[.]com/m/Lu6aeloo.php
https://auraguest[.]lk/m/douV2quu.php
BleepingComputer’s evaluation of the modified Linux shell installer discovered malicious code injected into the script that downloads an archive from ‘checkinnhotels[.]com’ disguised as an SVG file.
Supply: BleepingComputer
As soon as downloaded, the script extracts two ELF binaries named ‘pkg` and `systemd-exec` after which installs ‘systemd-exec’ as a SUID-root binary in ‘/usr/bin/’.
The installer then copied the principle payload to ‘/root/.native/share/.pkg’, created a persistence script in ‘/and so forth/profile.d/systemd.sh’, and launched the malware whereas masquerading as ‘/usr/libexec/upowerd`.
The ‘pkg’ payload can be closely obfuscated utilizing Pyarmor, so it’s unclear what performance it performs.
JDownloader says customers are solely in danger in the event that they downloaded and executed the affected installers whereas the positioning was compromised.
As arbitrary code may have been executed by the malware on contaminated gadgets, those that put in the malicious installers are suggested to reinstall their working methods.
It’s also doable that credentials had been compromised on gadgets, so it’s strongly suggested to reset passwords after cleansing the gadgets.
Hackers have more and more focused the web sites of standard software program instruments this 12 months to distribute malware to unsuspecting customers.
In April, hackers compromised the CPUID web site to alter obtain hyperlinks that served malicious executables for the favored CPU-Z and HWMonitor instruments.
Earlier this month, risk actors compromised the DAEMONTOOLS web site to distribute trojanized installers containing a backdoor.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Might 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
