## JDownloader Website Compromised Attackers modified download links on the official **JDownloader** website to serve malicious third-party payloads instead of legitimate installers. This supply chain attack affected users downloading the alternative Windows installer and the Linux shell installer. **JDownloader** is a widely used, free download management application supporting automated downloads from various file-hosting services and video sites. ## Discovery and Confirmation The compromise was initially reported on Reddit by a user who noticed **Microsoft Defender** flagging downloaded installers as malicious. The **JDownloader** developers later confirmed the breach and took the website offline for investigation. According to an incident report, attackers exploited an unpatched vulnerability in the website's content management system (CMS). This allowed them to alter website access control lists and content without authentication. "Changes were made through the website's content management system, affecting published pages and links," the report stated. The developers clarified that only the alternative Windows installer and the Linux shell installer were affected. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main **JDownloader** JAR package remained untouched. ## Verifying Installer Authenticity Users can verify the authenticity of an installer by checking its digital signature. Right-click the file, select **Properties**, and navigate to the **Digital Signatures** tab. A legitimate installer will be signed by "AppWork GmbH." Unsigned files or those signed by a different entity should be avoided.  ## Malware Analysis While the **JDownloader** team shared the malicious installers for analysis, they stated that in-depth malware analysis was beyond their scope. Cybersecurity researcher Klemenc analyzed the malicious Windows executables, discovering a heavily obfuscated Python-based RAT. The Python payload functions as a modular bot and RAT framework, enabling attackers to execute Python code delivered from command and control (C2) servers. Klemenc identified the following C2 servers: https://parkspringshotel[.]com/m/Lu6aeloo.php https://auraguest[.]lk/m/douV2quu.php Analysis of the modified Linux shell installer revealed malicious code injected into the script, downloading an archive disguised as an SVG file from 'checkinnhotels[.]com'.  The script extracts two ELF binaries, 'pkg' and 'systemd-exec', and installs 'systemd-exec' as a SUID-root binary in '/usr/bin/'. The main payload is copied to '/root/.local/share/.pkg', a persistence script is created in '/etc/profile.d/systemd.sh', and the malware is launched masquerading as '/usr/libexec/upowerd'. The 'pkg' payload is heavily obfuscated using Pyarmor, obscuring its functionality. ## Remediation **JDownloader** advises users who downloaded and executed the affected installers to reinstall their operating systems due to the potential for arbitrary code execution. It is also recommended to reset passwords, as credentials may have been compromised. ## Increasing Supply Chain Attacks Website compromises targeting popular software tools are on the rise. Recent incidents include: * **CPUID**: Hackers compromised the **CPUID** website to distribute malicious executables for **CPU-Z** and **HWMonitor**. * **DAEMONTOOLS**: Threat actors compromised the **DAEMONTOOLS** website to distribute trojanized installers containing a backdoor.