JDownloader Website Compromised to Deliver Python RAT Malware

May 10, 2026 Faeem BLOGS 0

Overview The official JDownloader website was compromised between May 6–7, 2026, replacing legitimate installers with malicious payloads. The attack impacted Windows alternative installers and the Linux shell installer, delivering a Python‑based remote access trojan (RAT) and obfuscated ELF binaries.

Attack Details

  • Windows Payload:
    • Malicious installer acted as a loader.
    • Deployed a heavily obfuscated Python RAT capable of executing attacker‑delivered code.
    • Connected to C2 servers:
      • parkspringshotel[.]com/m/Lu6aeloo.php
      • auraguest[.]lk/m/douV2quu.php
  • Linux Payload:
    • Modified shell installer downloaded an archive from checkinnhotels[.]com disguised as an SVG.
    • Extracted ELF binaries pkg and systemd-exec.
    • Installed systemd-exec as a SUID‑root binary in /usr/bin/.
    • Persistence via /etc/profile.d/systemd.sh.
    • Masqueraded as /usr/libexec/upowerd.
    • Payload obfuscated with Pyarmor, making analysis difficult.

Scope of Compromise

  • Affected:
    • Windows “Download Alternative Installer” links.
    • Linux shell installer link.
  • Not Affected:
    • In‑app updates.
    • macOS downloads.
    • Flatpak, Winget, Snap packages.
    • Main JDownloader JAR package.

Defensive Guidance

  • Verification: Check installer Digital Signatures. Legitimate files are signed by AppWork GmbH.
  • Remediation:
    • Reinstall operating systems if malicious installers were executed.
    • Reset all credentials (passwords, SSH keys, API tokens).
  • User Awareness: Avoid running installers flagged by security tools, even if from “official” sites.

Broader Context

This incident is part of a growing wave of supply chain compromises:

  • April 2026: CPUID website hacked to serve trojanized CPU‑Z and HWMonitor installers.
  • May 2026: DAEMONTOOLS website compromised to distribute backdoored installers.

Final Thought

The JDownloader compromise highlights how attackers increasingly target trusted software websites rather than obscure malware sites. By hijacking legitimate download links, they bypass user skepticism and security filters. For defenders, the lesson is clear: digital signature verification and supply chain monitoring are now essential user practices.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.