Attack Chain

1. Attackers gained unauthorized access to JDownloader’s website CMS.
2. On May 5, 23:55 UTC, the attackers tested their approach on a low-traffic page.
3. On May 6, ~00:01 UTC, live download links for the Windows “Alternative Installer” variants and the Linux shell installer were repointed to attacker-controlled files hosted externally.
4. A user visiting jdownloader.org and clicking one of the affected download links received a malicious installer silently replacing the legitimate one.
5. On Windows, the malicious executable lacks the AppWork GmbH code signature but proceeds to execute as an installer; on Linux, the shell script runs harmful commands inline during installation.
6. The RAT is deployed, providing attackers with persistent remote access to the victim system.
7. On May 7, 17:06 UTC, the compromise was reported via Reddit; JDownloader shut down their servers at 17:24 UTC to stop distribution.
8. Clean, verified installers were restored on May 8–9 UTC.

Impact

Any user who downloaded and executed a JDownloader installer via the website’s “Alternative Installer” or Linux shell links between May 6 00:01 UTC and May 7 17:24 UTC should consider their system fully compromised. The deployed RAT grants attackers remote command execution, enabling credential theft, lateral movement, data exfiltration, and persistence. The JDownloader team explicitly recommends a clean OS reinstall for affected systems and warns against performing sensitive operations (banking, password management) until a clean environment is confirmed. Users who installed via the standard (non-alternative) Windows installer, macOS installer, or used in-app updates are not affected.

Recommendation

• If JDownloader was installed during May 6–7, 2026 via the “Alternative Installer” or Linux shell links, perform a clean OS reinstall — do not attempt to remove the malware in-place.
• Change all passwords (email, banking, credentials managers) from a separate, verified-clean device before accessing any accounts on the potentially compromised system.
• Block the IOC hashes listed above in your EDR and file integrity monitoring tooling.
• Deploy the Sigma rule “Execution of Known Malicious JDownloader Installer by Hash” to identify any historical execution of these installers in your environment.
• Deploy the Sigma rule “Unsigned JDownloader Installer Execution” as an ongoing detection for future cases where JDownloader is installed without AppWork GmbH’s code signature.
• Verify JDownloader installations in your estate by checking installer hashes or confirming the code signature on the JDownloader2Setup_*.exe binary against the AppWork GmbH certificate.