- Attackers exploited a CMS flaw to replace Windows and Linux installation links with malware-laden versions between 6-7. May 2026
- The poisoned installers deployed a Python-based RAT via a loader, while other distribution channels (macOS, JAR, Snap, etc.) remained secure
- AppWork advises to verify digital signatures (“AppWork GmbH”) to avoid tampered builds; since the page has been secured
Popular download manager JDownloader recently had its website hacked and hijacked to deploy malware to Windows and Linux users.
As explained by owner AppWork, unidentified attackers found a vulnerability in the site’s content management system (CMS) and used it to replace the download links with a few variants:
“Changes were made through the site’s content management system, affecting published pages and links,” AppWork said in its incident report. “The attacker did not gain access to the underlying server stackāin particular, no access to the host file system or broader operating system-level control beyond CMS-managed web content.”
Checking the digital signature
Anyone who clicked on the alternate Windows installer download links or the Linux shell installer link, between May 6 and May 7, 2026, was redirected to a third-party server hosting a malicious version of the software. This version was poisoned to include a loader that implemented a heavily obfuscated Python-built Remote Access Trojan (RAT).
Other downloads, including in-app updates, macOS downloads, Flatpak, Winget, Snap packages and the primary JDownloader JAR package were not tampered with, AppWork confirmed.
It also said the best way to make sure you’re using the right installer is to double-check its digital signature. This can be done by right-clicking on the executable, navigating to Properties and then the Digital Signatures tab. The program must show that it is signed by “AppWork GmbH”, otherwise it is definitely malware.
On Reddit, users who downloaded the tainted versions saw the developer listed as ‘Zipline LLC’ and ‘The Water Team’. Fortunately, Windows Defender marked the program as malicious, protecting users.
The website was temporarily shut down, allowing the company to close the hole and clean up links.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
