The official website for the widely-used JDownloader download manager was hacked earlier this week to spread harmful Windows and Linux installers. The Windows version was found to deliver a Python-based remote access trojan (RAT).
This supply chain attack impacted users who downloaded installers from the official site between May 6 and May 7, 2026, specifically through the Windows “Download Alternative Installer” links or the Linux shell installer.
The developers explained that the attackers altered the website’s download links to redirect users to malicious third-party files instead of the genuine installers.
JDownloader is a popular free download management tool that automates downloads from file-hosting services, video platforms, and premium link generators. The software has been around for over a decade and is used by millions of people globally on Windows, Linux, and macOS.
The JDownloader supply chain attack
The breach was first flagged on Reddit by a user called “PrinceOfNightSky,” who noticed that the downloaded installers were being detected by Microsoft Defender.
“I’ve been using JDownloader and recently got a new PC. I had the installer on a USB drive but decided to grab the latest version,” PrinceOfNightSky wrote on Reddit.
“The website is the official one, but all the Windows executables are being flagged as malicious by Windows, and the developer is listed as ‘Zipline LLC.’ Other times it shows ‘The Water Team.’ The software is clearly made by AppWork, and I have to manually unblock it from Windows to run it, which I won’t do.”
The JDownloader team later confirmed the breach and took the website offline to investigate.
In their incident report, the developers stated that attackers exploited an unpatched vulnerability to modify website access control lists and content without needing authentication.
“Changes were made through the website’s content management system, affecting published pages and links,” the incident report reads.
“The attacker did not gain access to the underlying server stack — specifically, there was no access to the host filesystem or broader operating-system-level control beyond CMS-managed web content.”
The developers confirmed that only the alternative Windows installer download links and the Linux shell installer link were affected. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JDownloader JAR package remained untouched.
The team also advised users to verify whether an installer is legitimate by right-clicking the file, selecting Properties, and then checking the Digital Signatures tab.
If the Digital Signatures tab shows it was signed by “AppWork GmbH,” the file is legitimate. If the file is unsigned or signed by a different entity, it should be avoided.
Source: BleepingComputer
The JDownloader team noted that analyzing the malicious payloads was “out of our scope” but shared an archive of the compromised installers for others to examine.
Cybersecurity researcher Thomas Klemenc analyzed the malicious Windows executables and published indicators of compromise (IOCs) for the malware.
According to Klemenc, the malware functions as a loader that deploys a heavily obfuscated Python-based RAT.
Klemenc explained that the Python payload serves as a modular bot and RAT framework, enabling attackers to run Python code sent from command and control (C2) servers.
The researcher also identified two command and control servers used by the malware:
https://parkspringshotel[.]com/m/Lu6aeloo.php
https://auraguest[.]lk/m/douV2quu.phpBleepingComputer’s examination of the tampered Linux shell installer revealed malicious code injected into the script that fetches an archive from ‘checkinnhotels[.]com’ disguised as an SVG file.
Source: BleepingComputer
Once downloaded, the script extracts two ELF binaries named ‘pkg’ and ‘systemd-exec’ and then installs ‘systemd-exec’ as a SUID-root binary in ‘/usr/bin/’.
The installer then copies the main payload to ‘/root/.local/share/.pkg’, creates a persistence script in ‘/etc/profile.d/systemd.sh’, and launches the malware while disguising itself as ‘/usr/libexec/upowerd’.
The ‘pkg’ payload is also heavily obfuscated using Pyarmor, making its exact functionality unclear.
JDownloader stated that users are only at risk if they downloaded and ran the affected installers during the window when the site was compromised.
Since the malware could have executed arbitrary code on infected machines, those who installed the compromised installers are strongly advised to reinstall their operating systems.
It is also possible that credentials were stolen from affected devices, so resetting passwords after cleaning the systems is strongly recommended.
Hackers have increasingly been targeting the websites of popular software tools this year to spread malware to unsuspecting users.
In April, hackers breached the CPUID website to alter download links that served malicious executables for the popular CPU-Z and HWMonitor utilities.
Earlier this month, threat actors compromised the DAEMONTOOLS website to distribute trojanized installers containing a backdoor.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
