Popular download manager JDownloader’s website was compromised earlier this week to distribute malicious installers for Windows and Linux, with the Windows payload found to be sending a Python-based access Trojan.
The supply chain attack affects those who downloaded installers from the official website between May 6 and May 7, 2026 via the Windows “Download Another Installer” links or the Linux shell installer.
According to the developers, the attackers modified the website’s download links to point to paid third-party downloads rather than official installers.
JDownloader is a widely used free download manager application that supports automatic downloads from file hosting services, video sites, and premium link generators. The software has been available for over a decade and is used by millions around the world across Windows, Linux, and macOS.
JDownloader supply chain attack
The download was first reported on Reddit by a user named “PrinceOfNightSky,” who noticed that the downloaded installers were being flagged by Microsoft Defender.
“I was using Jdownloader and switched to a new PC a few weeks ago. Luckily I had the installer on a usb drive but decided to download the latest version,” PrinceOfNightSky posted on Reddit.
“The website is legitimate but all windows Exes are reported as malware by windows and the developer is listed as ‘Zipline LLC.’ And sometimes it’s called ‘Water Team’ The software is apparently made by Appwork and I have to manually open it in windows to run it which I won’t do.”
The developers of JDownloader later confirmed that the site had been hacked and took the website offline to investigate the incident.
In the incident report, the devs said their website was compromised by attackers using an open vulnerability that allowed them to change the website’s access control list and content without authentication.
“Changes were made to the website’s content management system, affecting published pages and links,” reads the incident report.
“The attacker had no access to the underlying server stack – specifically no access to the host’s file system or broad operating system control beyond the web content managed by the CMS.”
The developers revealed that the compromise only affected some Windows installer download links and the Linux shell installer link. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the large JDownloader JAR package were not fixed.
The developers also say that users can verify if the installer is legitimate by right-clicking on the file, select Buildingsand then click Digital Signatures tab.
If the Digital Signatures show that it is signed by “AppWork GmbH,” then it is legitimate. However, if the file is unsigned or has another name, it should be avoided.
Source: BleepingComputer
The JDownloader team said analyzing malicious downloads was “out of our scope,” but shared an archive of malicious downloads so others could analyze them.
Cybersecurity researcher Thomas Klemenc analyzed malicious Windows exploits and shared indicators of compromise (IOCs) for the malware.
According to Klemenc, the malware acts as a loader that sends a highly disguised Python-based RAT.
Klemenc said the Python payload works as a modular bot and RAT framework, allowing attackers to use Python code delivered to command and control (C2) servers.
The researcher also shared two command and control servers used by the malware:
https://parkspringshotel[.]com/m/Lu6aeloo.php
https://auraguest[.]lk/m/douV2quu.phpBleepingComputer’s analysis of the modified Linux shell installer found malicious code embedded in a script downloading an archive from ‘checkinnhotels[.]com’ hidden as an SVG file.
Source: BleepingComputer
Once downloaded, the script extracts the ELF binaries named ‘pkg` and `systemd-exec` and installs ‘systemd-exec’ as the SUID binary in ‘/usr/bin/’.
The installer then copies the main payload to ‘/root/.local/share/.pkg’, creates a persistence script in ‘/etc/profile.d/systemd.sh’, and launches the malware while masquerading as ‘/usr/libexec/upowerd`.
Loading ‘pkg’ is also heavily obfuscated using Pyarmor, so it’s not clear what it does.
JDownloader says users are only at risk if they download and run the affected installers while the site is being compromised.
Since the malicious code is executed by the malware on the infected devices, those who installed the malicious installers are advised to reinstall their operating systems.
It is also possible that the credentials have been corrupted on the devices, so it is strongly advised to reset the passwords after cleaning the devices.
Cybercriminals have focused on popular software tool websites this year to distribute malware to unsuspecting users.
In April, hackers compromised the CPUID website to modify download links that used malware for the popular CPU-Z and HWMonitor tools.
Earlier this month, malicious actors compromised the DAEMONTOOLS website to distribute trojan-installed installers containing a backdoor.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
