ctipilot.ch

JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window)

incident · incident:jdownloader-supply-chain-2026

Coverage timeline
2
first 2026-05-10 → last 2026-05-10
Briefs
2
2 distinct
Sources cited
2
2 hosts
Sections touched
2
active-threats, weekly_summary
Co-occurring entities
3
see Related entities below
2026-05-102 appearances2026-05-10

Story timeline

  1. 2026-05-10CTI Daily Brief — 2026-05-10
    active-threatsFirst coverage. AppWork GmbH site compromised 2026-05-06 → 2026-05-08 via access-control flaw. Windows/Linux installers replaced with Python-based RAT payload. Trojanised executables signed with forged 'Zipline LLC'/'The Water Team'/'Peace Team' publisher names — SmartScreen warnings helped detect. JAR/in-app updater/macOS bundle/Winget/Flatpak/Snap not affected. Capability description reduced-confidence (BleepingComputer article 403).
  2. 2026-05-10CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026)
    weekly_summaryConsolidated in weekly summary for week 2026-W19

Where this entity is cited

  • active-threats1
  • weekly_summary1

Source distribution

  • cyberkendra.com1 (50%)
  • piunikaweb.com1 (50%)

Related entities

All cited sources (2)

Items in briefs about JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window) (3)

JDownloader official site compromised — Windows and Linux installers swapped for ~48 hours

From CTI Weekly Summary — 2026-W19 (May 04 – May 10, 2026) · published 2026-05-11 · view item permalink →

The official download page of JDownloader (German-developed AppWork GmbH, Java-based download manager popular across European user bases) was compromised between approximately 2026-05-06 and 2026-05-08; attackers exploited an unpatched access-control flaw in the site's CMS layer to replace Windows and Linux installer download links without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — triggering Windows SmartScreen warnings that helped some users detect the substitution. The substituted installers carry a Python-based remote-access payload; a more specific capability description has not been corroborated by a named research lab in available reporting. The JDownloader team confirmed and asked users to verify file hashes against the project's published SHA-256 manifest (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07 · daily 2026-05-10). Defender takeaway: audit developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link; hunt for unsigned / non-AppWork-signed JDownloader*.exe, unexpected Python interpreters in user-profile paths, and Python child processes spawned from JDownloader parent images.

JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours

From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

Hunt for trojanised JDownloader installers and unsigned Python child processes

From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →

Inventory developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link (PiunikaWeb, 2026-05-08). Trojanised executables bear forged publisher names "Zipline LLC", "The Water Team", "Peace Team" instead of the legitimate AppWork GmbH signature. Hunt for unsigned Python interpreters in user-profile paths and Python child processes spawned from JDownloader parent images (Sysmon EID 1 + parent-image filter). Winget / Flatpak / Snap installations were not poisoned.