www.it-connect.fr
Official JDownloader Site Compromised to Distribute Malware on Windows and Linux
The popular JDownloader download manager has fallen victim to a cyberattack! Attackers managed to compromise the official website and modify the download links to point to infected installer builds. Here’s what we know.
If you downloaded JDownloader on Windows or Linux between May 6 and May 7, 2026, you should read this article carefully. Attackers compromised the official website of this well-known utility and, through that access, were able to replace legitimate installers with malicious versions carrying a Python-coded Trojan (RAT). Following the security incidents involving DAEMON Tools and CPUID, this is yet another example of a supply chain attack...
The warning sign came from the JDownloader user community, and more specifically from Reddit. As BleepingComputer reports, a user named PrinceOfNightSky noticed that Microsoft Defender was blocking the Windows executable, even though it had just been downloaded from the official site.
"The website is official, but all Windows EXE files are being flagged as malware by Windows, and the developer is shown as ‘Zipline LLC’. Sometimes, it says ‘The Water Team’. The software is clearly developed by Appwork, and I would have to manually unblock it in Windows to run it, which I’m not going to do.", the post says.
Takeover of the JDownloader Website
A few hours later, following these Reddit reports, the JDownloader team published a report on the incident after carrying out the necessary investigations. The attacker gained access to the official site after compromising the website’s CMS (content management system).
"Changes were made through the website’s content management system, affecting published pages and links. The attacker did not manage to access the underlying server stack — in particular, they did not gain access to the host’s file system or broader control at the operating system level, beyond the web content managed by the CMS.", it reads.
Infected versions were distributed through the official website. According to early analysis carried out by several researchers, including Thomas Klemenc on X, the Windows executable acted as a loader used to deploy a Python-based RAT (Remote Access Trojan). With this malware, attackers were able to execute remote commands through the C2 infrastructure. In his post, he also lists indicators of compromise, including two IP addresses linked to the malicious activity (172.96.172.-91 and 209.133.215.-178).
As for the infected Linux version, it appears to have been an archive disguised as an SVG file and downloaded from an external address. This malicious script would then download two binaries named pkg and systemd-exec. The main payload is executed while masquerading as the legitimate process /usr/libexec/upowerd.
Who Is Affected by This Incident?
It is important to note that this security incident does not affect every download link. In fact, two specific links were targeted and modified:
- The Windows installer download links, via the "Download Alternative Installer" link,
- The Linux shell installer link.
The other versions, whether updates obtained through the application’s internal update mechanism, macOS packages, Flatpak, Winget, Snap, or the JAR package, are not impacted by this cyberattack.
The malicious Windows version can be identified by an inconsistent digital signature. It should be signed by the publisher, namely AppWork GmbH, to be legitimate, and not by another publisher. The attackers appear to have reused legitimate certificates to sign their malicious executable.
In short, if you downloaded the Windows installer or the Linux script between May 6 and May 7, 2026, caution is advised! Scan your machine for malicious activity and consider reinstalling your system to ensure a complete cleanup.
