{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jdownloader/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","rat","windows","linux","jdownloader"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJDownloader, a widely used open-source download manager, had its official website compromised between May 5–7, 2026. Attackers gained access to the site\u0026rsquo;s CMS and repointed specific installer download links to malicious third-party files — they did not modify the legitimate installer packages themselves, only the links serving them. The affected download paths were the Windows \u0026ldquo;Download Alternative Installer\u0026rdquo; links and the Linux shell-based installer. Both Windows and Linux variants contained a Remote Access Trojan (RAT); the Windows executables additionally lack the legitimate \u0026ldquo;AppWork GmbH\u0026rdquo; code signature present on all genuine JDownloader installers. Crucially, in-app updates were unaffected because JDownloader\u0026rsquo;s update mechanism uses RSA signature verification.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttackers gained unauthorized access to JDownloader\u0026rsquo;s website CMS.\u003c/li\u003e\n\u003cli\u003eOn May 5, 23:55 UTC, the attackers tested their approach on a low-traffic page.\u003c/li\u003e\n\u003cli\u003eOn May 6, ~00:01 UTC, live download links for the Windows \u0026ldquo;Alternative Installer\u0026rdquo; variants and the Linux shell installer were repointed to attacker-controlled files hosted externally.\u003c/li\u003e\n\u003cli\u003eA user visiting jdownloader.org and clicking one of the affected download links received a malicious installer silently replacing the legitimate one.\u003c/li\u003e\n\u003cli\u003eOn Windows, the malicious executable lacks the AppWork GmbH code signature but proceeds to execute as an installer; on Linux, the shell script runs harmful commands inline during installation.\u003c/li\u003e\n\u003cli\u003eThe RAT is deployed, providing attackers with persistent remote access to the victim system.\u003c/li\u003e\n\u003cli\u003eOn May 7, 17:06 UTC, the compromise was reported via Reddit; JDownloader shut down their servers at 17:24 UTC to stop distribution.\u003c/li\u003e\n\u003cli\u003eClean, verified installers were restored on May 8–9 UTC.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny user who downloaded and executed a JDownloader installer via the website\u0026rsquo;s \u0026ldquo;Alternative Installer\u0026rdquo; or Linux shell links between May 6 00:01 UTC and May 7 17:24 UTC should consider their system fully compromised. The deployed RAT grants attackers remote command execution, enabling credential theft, lateral movement, data exfiltration, and persistence. The JDownloader team explicitly recommends a clean OS reinstall for affected systems and warns against performing sensitive operations (banking, password management) until a clean environment is confirmed. Users who installed via the standard (non-alternative) Windows installer, macOS installer, or used in-app updates are not affected.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf JDownloader was installed during May 6–7, 2026 via the \u0026ldquo;Alternative Installer\u0026rdquo; or Linux shell links, perform a clean OS reinstall — do not attempt to remove the malware in-place.\u003c/li\u003e\n\u003cli\u003eChange all passwords (email, banking, credentials managers) from a separate, verified-clean device before accessing any accounts on the potentially compromised system.\u003c/li\u003e\n\u003cli\u003eBlock the IOC hashes listed above in your EDR and file integrity monitoring tooling.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution of Known Malicious JDownloader Installer by Hash\u0026rdquo; to identify any historical execution of these installers in your environment.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Unsigned JDownloader Installer Execution\u0026rdquo; as an ongoing detection for future cases where JDownloader is installed without AppWork GmbH\u0026rsquo;s code signature.\u003c/li\u003e\n\u003cli\u003eVerify JDownloader installations in your estate by checking installer hashes or confirming the code signature on the \u003ccode\u003eJDownloader2Setup_*.exe\u003c/code\u003e binary against the AppWork GmbH certificate.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T00:00:00Z","date_published":"2026-05-11T00:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-10-jdownloader-supply-chain/","summary":"JDownloader's website was compromised on May 6-7, 2026, with download links repointed to malicious installers deploying a Remote Access Trojan on Windows and harmful shell commands on Linux. Users who installed from affected links should treat the system as fully compromised and perform a clean OS reinstall.","title":"JDownloader Website Compromised to Serve Malicious Installers","url":"https://feed.craftedsignal.io/briefs/2026-10-jdownloader-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — Jdownloader","version":"https://jsonfeed.org/version/1.1"}