JDownloader Website Hacked—Malicious Installers Served for 24 Hours
Attackers exploited a CMS flaw on JDownloader's website to swap download links with trojanized installers. Windows users got a Python RAT; Linux users got root-persisted ELF binaries.
The official JDownloader website served malware-laden installers to Windows and Linux users for roughly 24 hours between May 6-7, 2026. Attackers exploited an unpatched vulnerability in the site's content management system to swap legitimate download links with trojanized payloads—without ever touching the underlying server filesystem.
This marks the second major software supply chain compromise in a week, following the DAEMON Tools attack that served backdoors to users in over 100 countries. Both incidents highlight how attackers increasingly target official download pages rather than the software itself.
What Happened
A Reddit user named "PrinceOfNightSky" first reported suspicious behavior after downloading JDownloader. The JDownloader development team confirmed the breach and took the website offline to investigate.
The attackers exploited CVE-2026-6973, an authentication bypass in the site's CMS that allowed modifying access control lists and page content without credentials. They changed the "Download Alternative Installer" links for Windows and the Linux shell installer to point to attacker-controlled payloads.
Affected downloads:
- Windows "Alternative Installer" link
- Linux shell installer (
.sh)
Unaffected:
- macOS installers
- In-app automatic updates
- Flatpak, Snap, and Winget packages
- The main JAR file download
The limited scope exists because only the website links were compromised—not the software's update infrastructure or package manager distributions.
The Malware Payloads
Windows: Python RAT with Delayed Execution
The Windows installer deployed a heavily obfuscated Python-based remote access trojan, similar to the infostealers distributed through trojanized CPUID utilities last month. According to dynamic analysis on ANY.RUN, the malware sits dormant for eight minutes after installation before activating its payload—likely an anti-sandbox technique.
The RAT operates as a modular bot framework, fetching and executing arbitrary Python code from C2 servers. This design lets operators deploy new capabilities without modifying the initial implant.
Linux: Root-Persisted ELF Binaries
The malicious Linux installer injected code that downloads an archive containing two ELF binaries: pkg and systemd-exec. These install with root-level persistence and masquerade as /usr/libexec/upowerd—mimicking a legitimate power management daemon.
Both payloads connect to the same C2 infrastructure, suggesting a single threat actor behind the campaign.
How to Detect Compromise
Legitimate JDownloader installers carry a cryptographic signature from AppWork GmbH. The malicious installers were either unsigned or signed by fake publishers like "Zipline LLC" or "The Water Team."
Indicators of Compromise:
| Type | Value |
|---|---|
| Initial installer | 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 |
| Stage 2 payload | 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 |
| PyArmor blob | 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a |
| C2 URL | hxxps://parkspringshotel[.]com/m/Lu6aeloo.php |
| C2 URL | hxxps://auraguest[.]lk/m/douV2quu.php |
Remediation Steps
JDownloader's developers recommend a full OS reinstall for anyone who downloaded the compromised installers. A clean installation is the only way to ensure complete removal of root-persisted malware.
After reinstalling:
- Reset all passwords stored or entered on the affected device
- Revoke and regenerate any API keys or tokens
- Check for unauthorized access to accounts used from that machine
- Verify the signature on any new installers before running them
For those unsure whether they downloaded a malicious version, check the installer's digital signature. Any certificate not issued to "AppWork GmbH" indicates a compromised file.
Why This Matters
CMS vulnerabilities that allow content manipulation without full server access present an underappreciated risk. Attackers don't need database credentials or shell access—they just need to change a link. The attackers behind this campaign demonstrated that even limited web application flaws can enable large-scale malware distribution.
This pattern has accelerated recently. Beyond DAEMON Tools and JDownloader, we've seen PyPI supply chain attacks targeting AI/ML libraries and credential-stealing worms spreading through exposed cloud infrastructure. Organizations downloading any software—especially from alternative or "mirror" links—should verify signatures before execution.
For more on identifying and defending against malicious software, see our malware fundamentals guide.
Related Articles
GlassWorm Escalates: 72 Malicious VSCode Extensions Steal Credentials
GlassWorm supply chain attack spreads via 72 Open VSX extensions using invisible Unicode obfuscation. Targets crypto wallets, API tokens, and CI/CD pipelines.
Mar 15, 2026DAEMON Tools Trojanized Since April—Backdoor Hit 100+ Countries
Kaspersky uncovered a supply chain attack on DAEMON Tools official website. Trojanized installers deployed QUIC RAT backdoors to thousands of systems, with a dozen government and manufacturing targets receiving advanced payloads.
May 8, 202673 GlassWorm Sleeper Extensions Found in Open VSX Marketplace
Socket researchers identify 73 malicious VS Code extensions on Open VSX tied to GlassWorm campaign. Six already activated to deliver malware through native binaries and obfuscated JavaScript.
Apr 27, 2026Bitwarden CLI Compromised in Shai-Hulud Supply Chain Attack
A malicious npm package hijacked Bitwarden CLI's publishing pipeline on April 22, harvesting credentials from 334 developers. Here's what happened.
Apr 25, 2026