JDownloader Site Hacked, Installers Swapped with Python RAT Malware

The official website for JDownloader — a widely used open-source download manager — was compromised on May 6, 2026, with attackers replacing the Windows and Linux installers with a Python-based remote access trojan (RAT). Users who downloaded JDownloader directly from the official site between May 6 and May 7, 2026, are advised to treat their systems as fully compromised and consider a complete operating system reinstall.

JDownloader Supply Chain Attack: Technical Details

The attackers exploited an unpatched vulnerability in JDownloader's website that allowed them to modify the site's access control lists and replace file content without authentication. This access gave them the ability to silently swap legitimate installer files with malicious ones served directly to unsuspecting users.

Before executing the live attack, the threat actors conducted a test run against a dummy site on May 5, 2026, at 23:55 UTC. The live attack went live at 00:01 UTC on May 6, 2026. The compromise went undetected for approximately 24 hours until a Reddit user identified the malicious files on May 7. JDownloader's developers took the website offline immediately upon confirmation of the breach.

Windows payload. The malicious Windows installer deployed a heavily obfuscated Python-based RAT (Remote Access Trojan — malware that gives attackers persistent remote control over an infected system) with modular bot capabilities that accept commands from attacker-controlled C2 infrastructure. One immediate red flag: the installer was signed with suspicious publisher names — "Zipline LLC", "The Water Team", and "Peace Team" — rather than the legitimate publisher certificate belonging to "AppWork GmbH". Windows SmartScreen flagged these files, but users who clicked through the warning or did not inspect the signature installed the RAT silently alongside a functioning copy of JDownloader.

Linux payload. The Linux installer was replaced with a malicious shell script that deployed two ELF (Executable and Linkable Format — the standard binary format for Linux executables) binaries named pkg and systemd-exec. Both binaries used Pyarmor obfuscation — a Python code protection tool that makes reverse engineering significantly harder — to conceal the malware's functionality. The malware establishes persistence via /etc/profile.d/systemd.sh, a directory that executes scripts for every user login, and masquerades as /usr/libexec/upowerd, mimicking the name of a common Linux power management daemon to blend into the running process list.

Two C2 (command-and-control — the remote server attackers use to issue instructions and receive data from infected machines) servers were identified in the malicious payloads:

• parkspringshotel[.]com/m/Lu6aeloo.php
• auraguest[.]lk/m/douV2quu.php

The RAT's modular architecture means its capabilities can be extended remotely after the initial infection. At minimum, the attackers can execute arbitrary commands on compromised systems. Depending on what modules were deployed post-infection, data exfiltration, keylogging, credential theft, and lateral movement are all plausible outcomes.

Exploitation Status and Threat Landscape

The attack window ran for approximately 24 hours — from May 6, 2026, at roughly 00:01 UTC to the point of public discovery on May 7. Any user who downloaded the Windows or Linux installers directly from the JDownloader website during this window should assume full system compromise.

No CVE (Common Vulnerabilities and Exposures — the industry-standard identifier for catalogued security flaws) has been assigned to the website vulnerability exploited in this attack. No threat actor has been publicly attributed to the campaign at time of writing. No CISA KEV (Known Exploited Vulnerabilities — the U.S. government's authoritative list of actively exploited flaws) entry has been created, as the underlying issue is website-specific rather than a catalogued product vulnerability.

This attack is the third confirmed software supply chain compromise in recent weeks, following similar incidents affecting Daemon Tools and CPU-Z/HWMonitor. Attackers are increasingly targeting trusted software distribution channels as a high-yield infection vector — one that bypasses endpoint controls entirely because the user actively executes the payload themselves.

Who Is Affected

The following users are at risk:

• Anyone who downloaded JDownloader using the Windows "Download Alternative Installer" links from the official website between May 6, 2026, 00:01 UTC and May 7, 2026
• Anyone who ran the Linux shell installer from the official website during the same window

The following installation paths are not affected:

• macOS installers
• In-app automatic updates (served from a separate, digitally signed server independent of the compromised website)
• Flatpak installations
• Snap package installations
• Winget installations
• Users who downloaded the main JAR package directly

JDownloader is a popular open-source tool used by security researchers, developers, and general users for automating large or complex downloads. While no specific download count for the compromised window has been disclosed by the developers, the software's broad user base means the potential exposure is substantial.

What You Should Do Right Now

• Determine if you downloaded during the window. Check your browser's download history for any JDownloader installer downloaded on May 6 or May 7, 2026, from the official site (jdownloader.org or any mirror).

• Check the installer's publisher certificate on Windows. Right-click the downloaded .exe, select Properties → Digital Signatures. If the listed publisher is "Zipline LLC", "The Water Team", or "Peace Team" rather than "AppWork GmbH", the file is malicious.

• On Linux, check for persistence indicators. Run the following commands to detect signs of compromise:

ls /etc/profile.d/systemd.sh
ps aux | grep upowerd
ls /usr/libexec/upowerd

If systemd.sh exists in /etc/profile.d/, or you see a suspicious upowerd process or binary, your system is compromised.

• If compromised, reinstall your operating system. JDownloader's developers have explicitly recommended OS reinstallation for affected users. Given the RAT's arbitrary code execution capability and modular architecture, disinfection is unreliable — there is no guarantee all persistence mechanisms can be found and removed without a clean install.

• Block the C2 domains at your firewall or DNS resolver. If you manage endpoints that may have been exposed, block outbound connections to:
• parkspringshotel[.]com
• auraguest[.]lk

• Rotate all credentials present on the affected system. SSH keys, browser-stored passwords, API tokens, VPN credentials, and any secrets stored in environment files should be treated as stolen and rotated immediately.

Background: Understanding the Risk

Software supply chain attacks are among the most damaging attack categories because they weaponize trust. When a user downloads software from an official website, they extend an implicit level of trust — they expect the file to be exactly what the vendor says it is. An attacker who compromises that distribution point bypasses every endpoint security control the victim may have, because the user is actively executing what they believe is a legitimate installer, often with administrative privileges.

The JDownloader attack follows a well-established playbook: gain access to a software distribution server or website, replace the legitimate installer with a trojanized version, and wait. The malware installs with the same permissions a user would grant the real application — frequently including administrative or root rights — and immediately establishes command-and-control contact.

What makes this incident particularly notable is the deliberate preparation. The attacker ran a full test on a dummy site 24 hours before the live attack — a sign of methodical planning rather than opportunistic exploitation. The use of Pyarmor obfuscation on the Linux binaries, combined with a convincing masquerade as a standard system daemon, indicates an operational goal of durable, undetected access rather than a quick smash-and-grab.

The cluster of supply chain attacks targeting download managers and system utilities over the past three weeks — Daemon Tools, CPU-Z/HWMonitor, and now JDownloader — may indicate a coordinated campaign. Security teams should treat any recently installed download utility as a potential vector until verified, particularly in environments where users have administrative privileges and are accustomed to installing third-party tools.

Earlier high-profile supply chain incidents — including the 3CX supply chain compromise attributed to the Lazarus Group and the SolarWinds SUNBURST backdoor — demonstrated that implants delivered through trusted software can persist undetected for months when designed to mimic legitimate system processes. The JDownloader Linux payload's approach — masquerading as upowerd and loading via /etc/profile.d/ — follows exactly this pattern.

Conclusion

Any user who downloaded JDownloader from the official website on May 6 or May 7, 2026, should treat their system as compromised until proven otherwise. The single most important step is verifying whether you installed a malicious binary — check the certificate publisher on Windows and inspect for the persistence indicators on Linux — and if confirmed, proceed directly to a full operating system reinstall. The JDownloader website is now clean and safe to download from, but active remediation is required for any systems that were infected during the 24-hour window.