u/AsterPrivacy

In case ya'll didn't see this last week. jdownloader.org was compromised May 6-7 from an unpatched CMS bug. Attackers modified ACLs without any auth and swapped download links for the Windows "Download Alternative Installer" and the Linux shell installer...

Main JAR, macOS, Flatpak, Winget, Snap, and in-app updates were all unaffected (the update channel uses RSA-signed verification, which held).

Payload was a Python-based RAT loader, heavily obfuscated with Pyarmor. On Linux it dropped to /root/.local/share/.pkg with persistence via /etc/profile.d/systemd.sh, masquerading as /usr/libexec/upowerd. A few users reported Defender and Malwarebytes scans came back clean post-infection, so AV alone is not reliable here.

Official guidance from AppWork is full OS reinstall plus password reset from a clean device for anyone who ran the bad installer in that window. Legit installers are signed by AppWork GmbH. Malicious ones showed "Zipline LLC" or "The Water Team" as the publisher.

C2s flagged by researchers:

• parkspringshotel[.]com
• auraguest[.]lk
• checkinnhotels[.]com (Linux drop)

A few things I'm curious about:

1. Anyone catch a user with this? JDownloader's not usually on the corporate allowlist but I've seen it on personal devices that touch the network.
2. How do you sell the "AV came back clean, reinstall the OS anyway" guidance to non-technical users? Tough conversation without IOCs they can see themselves.
3. Worth permanently blocklisting jdownloader.org on the filter, or overkill now that it's patched?

BleepingComputer has the technical writeup, AppWork posted their own incident report on the site if anyone wants to check it out yourself