Hunt for trojanised JDownloader installers and unsigned Python child processes

Inventory developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link (PiunikaWeb, 2026-05-08). Trojanised executables bear forged publisher names "Zipline LLC", "The Water Team", "Peace Team" instead of the legitimate AppWork GmbH signature. Hunt for unsigned Python interpreters in user-profile paths and Python child processes spawned from JDownloader parent images (Sysmon EID 1 + parent-image filter). Winget / Flatpak / Snap installations were not poisoned.