Official JDownloader site served malware to Windows and Linux users between May 6 and May 7

Pierluigi Paganini
May 10, 2026

JDownloader website was hacked to distribute malicious Windows and Linux installers carrying a Python RAT between May 6–7, 2026.

JDownloader official website was compromised in a supply chain attack that replaced legitimate Windows and Linux installers with malicious files between May 6 and May 7, 2026. JDownloader is a free, open-source download management application designed to simplify and automate file downloads from websites, file-hosting services, and video platforms.

Attackers modified download links on the site to serve users malware instead of the real software. Researchers found the Windows installer deployed a Python-based remote access trojan (RAT), giving attackers remote control over infected systems.

The attack targeted users downloading the Windows “Alternative Installer” and the Linux shell installer. JDownloader is a popular download manager used by millions on Windows, Linux, and macOS, making the incident particularly concerning.

The Reddit user PrinceOfNightSky first spotted the JDownloader compromise after Microsoft Defender flagged the downloaded installers as malicious. The user noticed suspicious developer names like “Zipline LLC” and “The Water Team” instead of the legitimate publisher, AppWork GmbH.

“I been using Jdownloader and switched to a new PC a few weeks ago. Luckily I had the installer in a usb drive but decided to download the latest version. The website is official but all the Exes for windows are being reported as malicious software by windows and the developer is being listed as “Zipline LLC.”” wrote PrinceOfNightSky. “And other times it’s saying “The Water Team” The software is obviously by Appwork and I have to manually unblock it from windows to run it which I will not do. I ended up plugging in my flash drive and the setup file on that flash drive has the Jdownloader logo along with AppWork being listed as the developer…”

JDownloader developers quickly confirmed the breach and temporarily shut down the website to investigate.

“I can confirm that the site has been compromised, have taken it down for further investigation.” JDownloader developers replied to PrinceOfNightSky. “The attack has modified alternative download page and exchanged links&details. The bad ones are missing digital singnature and as such smartscreen will block/warn the exeuction of it. The correct ones are okay and having proper digital signature in place.”

Attackers exploited an unpatched vulnerability in the site’s content management system, letting them modify download pages and replace legitimate installer links with malicious files. However, the attackers never gained full server or operating system access.

The incident only affected the Windows “Alternative Installer” links and the Linux shell installer. In-app updates, macOS downloads, Flatpak, Winget, Snap packages, and the main JAR package remained safe.

The developers advised users to verify installers through the “Digital Signatures” tab in file properties. Legitimate installers carry the signature “AppWork GmbH,” while unsigned files or files signed by different publishers should not be trusted.

“In early May 2026, attackers succeeded in altering the official JDownloader website so that certain installer links published here were repointed from the genuine JDownloader installer downloads to unrelated malicious third-party files: on Windows, only the installer download links for “Download Alternative Installer” — not the other installers offered on jdownloader.org — and the Linux shell installer link from the site.” reads the notice on the incident. “Our genuine installer packages were not modified — only the targets of the download links published here pointed to the wrong files. Installer binaries continue to be hosted externally as usual. Once confirmed, those malicious link targets were removed, links were corrected back to the legitimate external hosts, and the security issue was fixed. The website stayed fully offline while analysis, remediation, and further verification were completed. In the night of 8th–9th May 2026 (UTC), after those checks, it was brought back online and normal public service resumed with verified clean installer links.”

According to the notice, attackers only modified content and download links through JDownloader’s CMS and never gained access to the underlying servers or operating system. The developers confirmed that jdownloader.org has now been secured and restored.

ANY.RUN analysis shows the malware execution chain, including an 8-minute delay before the malicious payload activates.

Below are the indicators of compromise (IOCs) for the attack:

• Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3
• Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80
• PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a
• hxxps://parkspringshotel[.]com/m/Lu6aeloo.php (most likely another compromised URL)
• hxxpx://auraguest[.]lk/m/douV2quu.php (most likely another compromised URL)

Follow me on Twitter: @securityaffairs and Facebook and Mastodon