JDownloader site hacked to replace installers with Python RAT malware
Source: Bleeping Computer
Overview
The official website for the popular JDownloader download manager was compromised earlier this week. Attackers replaced the legitimate download links with malicious payloads that install a Python‑based remote‑access trojan on Windows and Linux systems.
Affected Downloads
- Date range: May 6 – May 7, 2026
- Platforms:
- Windows – “Download Alternative Installer” link
- Linux – shell installer
What Happened
- The website’s download URLs were altered to point to third‑party malicious installers instead of the authentic JDownloader packages.
- The Windows payload drops a Python‑based RAT; the Linux installer contains a similar malicious component.
About JDownloader
- Type: Free download‑management application.
- Features: Automated downloads from file‑hosting services, video sites, and premium link generators.
- Availability: Windows, Linux, macOS.
- History: Over a decade of use, with millions of users worldwide.
If you downloaded JDownloader from the official site during the affected period, run a thorough malware scan and consider reinstalling the software from a trusted source. Stay vigilant for any unusual system behavior.
Detailed Attack Report
The compromise was first reported on Reddit by a user named PrinceOfNightSky, who noticed that downloaded installers were being flagged by Microsoft Defender.
“I’ve been using JDownloader and switched to a new PC a few weeks ago. Luckily I had the installer on a USB drive but decided to download the latest version.” – PrinceOfNightSky
“The website is official but all the EXEs for Windows are being reported as malicious software by Windows and the developer is being listed as ‘Zipline LLC.’ Other times it says ‘The Water Team.’ The software is obviously by AppWork and I have to manually unblock it from Windows to run it, which I will not do.”
The JDownloader developers later confirmed that the site had been compromised and took it offline to investigate the incident.
Incident Report
In the official incident report, the developers explained that attackers exploited an unpatched vulnerability that allowed them to modify the website’s access‑control lists and content without authentication.
“Changes were made through the website’s content management system, affecting published pages and links.”
“The attacker did not gain access to the underlying server stack — in particular no access to the host filesystem or broader operating‑system‑level control beyond CMS‑managed web content.”
What was affected?
- Alternative Windows installer download links
- Linux shell installer link
The following were not modified:
- In‑app updates
- macOS downloads
- Flatpak, Winget, Snap packages
- The main JDownloader JAR package
Verifying a Legitimate Installer
- Right‑click the downloaded file → Properties.
- Open the Digital Signatures tab.
If the signature shows AppWork GmbH, the installer is legitimate. If the file is unsigned or signed by a different name, it should be avoided.
Source: BleepingComputer
Malicious Payloads
The JDownloader team said analyzing the malicious payloads was out of scope, but they shared an archive of the compromised installers for independent analysis.
Windows Payload
Cybersecurity researcher Thomas Klemenc analyzed the malicious Windows executables and published indicators of compromise (IOCs). According to Klemenc, the malware functions as a loader that deploys a heavily obfuscated Python‑based RAT. The Python payload acts as a modular bot and RAT framework, allowing attackers to execute Python code delivered from command‑and‑control (C2) servers.
C2 servers
https://parkspringshotel[.]com/m/Lu6aeloo.php
https://auraguest[.]lk/m/douV2quu.phpLinux Payload
BleepingComputer’s analysis of the modified Linux shell installer found malicious code injected into the script that downloads an archive from checkinnhotels[.]com (disguised as an SVG file).
Source: BleepingComputer
The script then:
- Extracts two ELF binaries named
pkgandsystemd‑exec. - Installs
systemd‑execas a SUID‑root binary in/usr/bin/. - Copies the main payload to
/root/.local/share/.pkg. - Creates a persistence script in
/etc/profile.d/systemd.sh. - Launches the malware while masquerading as
/usr/libexec/upowerd.
The pkg payload is heavily obfuscated with PyArmor, so its exact functionality remains unclear.
Recommendations
- Users who downloaded and executed the compromised installers should reinstall their operating systems.
- Reset all passwords after cleaning the devices, as credentials may have been exfiltrated.
- Verify future JDownloader downloads using the digital‑signature method described above.
Context – Other Recent Supply‑Chain Attacks
| Date | Target | Impact |
|---|---|---|
| April 2026 | CPUID website | Malicious executables for CPU‑Z and HWMonitor |
| May 2026 | DAEMONTOOLS website | Trojanized installers containing a backdoor |
Hackers are increasingly targeting the websites of popular software tools to distribute malware to unsuspecting users. Staying vigilant—checking digital signatures, using reputable mirrors, and keeping software up‑to‑date—remains essential.