The official JDownloader website was compromised between May 6–7, 2026, with attackers hijacking installer download links to deliver a Python-based remote access trojan (RAT) to Windows users and a malicious ELF binary implant to Linux users.
The incident marks one of the most impactful software supply chain attacks of 2026, affecting millions of potential users who trusted the open-source download manager’s official distribution channel.
JDownloader is a widely used, free, open-source download management application maintained by AppWork GmbH that supports automated downloads from file-hosting services, video-sharing platforms, and premium link generators.
Available for over a decade across Windows, Linux, and macOS, the software has accumulated millions of global users, making it a high-value target for threat actors seeking maximum infection reach through a single, trusted distribution vector.
JDownloader Hacked
The attack began quietly on the evening of May 5, 2026 (approximately 23:55 UTC), when attackers probed a low-traffic page to test their approach before escalating.
By 00:01 UTC on May 6, they had successfully modified multiple download links on the official jdownloader.org website, redirecting users who clicked “Download Alternative Installer” for Windows and the Linux shell installer link to malicious third-party payloads instead of legitimate software.
According to the JDownloader development team’s public incident report, the attackers exploited an unpatched vulnerability in the website’s content management system (CMS), allowing them to modify access control lists and publish page content without authentication.
Critically, the attackers did not penetrate the underlying server infrastructure, host filesystem, or operating-system-level controls; the breach was entirely confined to CMS-managed web content.
The compromise was first reported by a Reddit user known as “PrinceOfNightSky,” who said that freshly downloaded JDownloader installers were being flagged by Microsoft Defender, with the publisher listed as “Zipline LLC” and “The Water Team,” neither of which is affiliated with AppWork GmbH.
The JDownloader team was formally notified at 17:06 UTC on May 7, and the server was fully taken offline by 17:24 UTC. After remediation, configuration hardening, and independent verification, the website was restored to normal service on the night of May 8–9, 2026.
Malware Technical Analysis
The Windows payload was analyzed by cybersecurity researcher Thomas Klemenc, who found that the malicious executables functioned as a loader that deploys a heavily obfuscated Python-based RAT framework.
The Python payload operates as a modular bot, enabling attackers to remotely execute arbitrary Python code received from command-and-control (C2) servers.
Klemenc identified two C2 servers:
On Linux, analysis revealed the compromised shell installer contained malicious code that downloads a disguised archive from checkinnhotels[.]com, presented as an SVG file.
Once extracted, the script drops two ELF binaries pkg and systemd-exec installs systemd-exec as a SUID-root binary in /usr/bin/, establishes persistence via /etc/profile.d/systemd.sh, and masquerades the main payload as /usr/libexec/upowerd. The pkg binary is obfuscated using Pyarmor, obscuring its full capabilities.
Eight malicious installer files were identified. Users who downloaded any of the following should not execute them and should delete them immediately:
| File | Size (bytes) | SHA256 |
|---|---|---|
| JDownloader2Setup_unix_nojre.sh | 7,934,496 | 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af |
| JDownloader2Setup_windows-amd64_v11_0_30.exe | 104,910,336 | fb1e3fe4d18927ff82cffb3f82a0b4ffb7280c85db5a8a8b6f6a1ac30a7e7ed9 |
| JDownloader2Setup_windows-amd64_v17_0_18.exe | 101,420,032 | 04cb9f0bca6e0e4ed30bc92726590724bf60938440b3825252657d1b3af45495 |
| JDownloader2Setup_windows-amd64_v1_8_0_482.exe | 61,749,248 | 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 |
| JDownloader2Setup_windows-amd64_v21_0_10.exe | 107,124,736 | 32891c0080442bf0a0c5658ada2c3845435b4e09b114599a516248723aad7805 |
| JDownloader2Setup_windows-x86_v11_0_29.exe | 87,157,760 | de8b2bdfc61d63585329b8cfca2a012476b46387435410b995aeae5b502bd95e |
| JDownloader2Setup_windows-x86_v17_0_17.exe | 86,576,128 | e4a20f746b7dd19b8d9601b884e67c8166ea9676b917adea6833b695ba13de16 |
| JDownloader2Setup_windows-x86_v1_8_0_472.exe | 62,498,304 | 4ff7eec9e69b6008b77de1b6e5c0d18aa717f625458d80da610cb170c784e97c |
Legitimate JDownloader installers are digitally signed by “AppWork GmbH.” If the Digital Signatures tab shows an unknown publisher or no signature, the file should be deleted immediately and not executed.
The attack exclusively targeted two delivery paths: the Windows “Download Alternative Installer” links and the Linux shell installer link on jdownloader.org. All in-app updates remained secure.
JDownloader’s built-in updater uses RSA-signed, cryptographically verified packages delivered through a channel entirely independent of the website’s download links. macOS installers, Flatpak, Winget, Snap packages, and the main JDownloader JAR package were unaffected.
Mitigation:
For users who may have executed a compromised installer, the JDownloader team and independent security researchers strongly recommend a full operating system wipe and clean reinstall rather than relying solely on antivirus scanning, as advanced RAT frameworks can establish persistence mechanisms that evade post-infection detection.
Until the system is confirmed clean, users should avoid sensitive logins on the affected machine, change account passwords from a separate trusted device, and restore personal files only from verified backups.
This incident is part of a growing trend of website-based software supply chain attacks in 2026. Earlier this year, CPUID’s website was compromised to distribute malicious versions of CPU-Z and HWMonitor.
The DAEMONTOOLS website was similarly hijacked to push backdoored installers, confirming that attackers are systematically targeting trusted developer and utility software distribution channels as a high-efficiency infection vector.
FAQ
Q1: Are in-app JDownloader updates affected by this incident?
No in-app updates use RSA-signed, cryptographically verified packages delivered via a channel completely separate from the compromised website download links.
Q2: How can I verify if my JDownloader installer is legitimate?
Right-click the file → Properties → Digital Signatures, the publisher must show “AppWork GmbH”; any other name or missing signature indicates a malicious file.
Q3: What malware was distributed through the compromised JDownloader installers?
Windows users received a Python-based modular RAT framework deployed via a loader, while Linux users received obfuscated Pyarmor-packed ELF binaries that establish SUID-root persistence.
Q4: What should I do if I executed a malicious JDownloader installer?
Perform a full OS wipe and clean reinstall, change all passwords from a trusted device, and restore only files from verified backups.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
