ctipilot.chSwitzerland · Europe · Public sector

JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window)

incident · incident:jdownloader-supply-chain-2026

First covered
2026-05-10
Last covered
2026-05-10
Appearances
1

Story timeline

  1. 2026-05-10CTI Daily Brief — 2026-05-10
    active-threatsFirst coverage. AppWork GmbH site compromised 2026-05-06 → 2026-05-08 via access-control flaw. Windows/Linux installers replaced with Python-based RAT payload. Trojanised executables signed with forged 'Zipline LLC'/'The Water Team'/'Peace Team' publisher names — SmartScreen warnings helped detect. JAR/in-app updater/macOS bundle/Winget/Flatpak/Snap not affected. Capability description reduced-confidence (BleepingComputer article 403).

Items in briefs about JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window) (2)

JDownloader official site compromised — Windows and Linux installers swapped for a Python RAT for ~48 hours

From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →

The official download page of JDownloader, a German-developed (AppWork GmbH) Java-based download manager popular across European user bases, was compromised between approximately 2026-05-06 and 2026-05-08; attackers replaced the Windows and Linux installers with malicious counterparts (PiunikaWeb, 2026-05-08 · CyberKendra, 2026-05-07). The intrusion exploited an unpatched access-control flaw in the site's content-management layer, allowing unauthenticated modification of download-link targets without altering the main JAR, the in-app updater, the macOS bundle, or the package-manager distributions (Winget, Flatpak, Snap). Trojanised Windows executables bore forged publisher names — "Zipline LLC", "The Water Team", "Peace Team" — instead of the legitimate AppWork GmbH signature, triggering Windows SmartScreen warnings that helped some users detect the substitution before execution. The substituted installers are described in available reporting as carrying a Python-based remote-access payload; the precise capability description has not been corroborated by a named research lab in this run's window (see § 7). The JDownloader team confirmed the breach and have asked users to verify file hashes against the project's published SHA-256 manifest.

ATT&CK mapping: T1195.002 Supply Chain Compromise: Software Supply Chain, T1036.005 Match Legitimate Name (forged AppWork-adjacent publisher names), T1059.006 Python for the RAT runtime.

Defender takeaway: Audit endpoints — particularly developer / power-user / multimedia-engineering workstations across DACH — for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site. Hunt for unsigned or non-AppWork-signed JDownloader*.exe and unexpected Python interpreters in user-profile paths; alert on Python child processes spawned from JDownloader* parent images (Sysmon EID 1 + parent-image filter). Inventory installations are uncertain via Winget / Flatpak / Snap (those distributions were not poisoned in this window) — the trojanised path was specifically the project's web-hosted installer and "Alternative Installer" download links.

Hunt for trojanised JDownloader installers and unsigned Python child processes

From CTI Daily Brief — 2026-05-10 · published 2026-05-10 · view item permalink →

Inventory developer / power-user / multimedia-engineering workstations across DACH for JDownloader installers downloaded between 2026-05-06 and 2026-05-08 from the official site or "Alternative Installer" link (PiunikaWeb, 2026-05-08). Trojanised executables bear forged publisher names "Zipline LLC", "The Water Team", "Peace Team" instead of the legitimate AppWork GmbH signature. Hunt for unsigned Python interpreters in user-profile paths and Python child processes spawned from JDownloader parent images (Sysmon EID 1 + parent-image filter). Winget / Flatpak / Snap installations were not poisoned.