JDownloader Hacked to Infect Users with New Python RAT

A severe supply chain attack targeted JDownloader, the open-source download manager used by millions globally, in early May 2026. Threat actors compromised the official jdownloader.org website, replacing legitimate installer links with malicious files. These files delivered a fully functional Python-based remote access trojan to unsuspecting users.

Anyone who downloaded what they believed to be a standard installer during a narrow two-day window may have unknowingly installed a dangerous and persistent backdoor directly onto their machine.

The attack did not tamper with JDownloader’s actual software or its in-app update system. Instead, it targeted the website’s download links, specifically the “Download Alternative Installer” options for Windows and the Linux shell installer link.

Users who clicked those links between May 6th and 7th, 2026 received files that looked like the real thing but were in fact unsigned wrappers concealing a layered malicious payload. The deception was convincing enough that many users bypassed Windows SmartScreen warnings, believing the alerts to be nothing more than false positives.

Researchers and developers at jdownloader.org confirmed the compromise after a Reddit user named PrinceOfNightSky flagged suspicious behavior on May 7th, 2026, noting that the downloaded executables were being attributed to publishers called “Zipline LLC” and “The Water Team” rather than the legitimate developer AppWork GmbH.

The team took the website offline within hours, at 17:24 UTC, and began a full investigation. By the night of May 8th into May 9th, the site was restored with verified clean links after all malicious content was removed and server configurations were hardened against future abuse.

JDownloader Downloader Hacked

The attack was traced to an unpatched vulnerability in the website’s content management system, which allowed attackers to change access control lists without authentication and modify specific pages.

Logs revealed that the attackers even ran a dry run on a low-traffic test page on May 5th before swapping the live installer links the following day. The entire operation showed careful planning and patience, which is a hallmark of sophisticated threat actors operating with a clear intent to infect as many users as possible.

Community researcher Takia_Gecko performed deep technical analysis of the malicious installer samples and revealed a chilling level of sophistication. The fake installer was an unsigned wrapper that bundled the real, legitimate JDownloader installer alongside a second, XOR-encrypted malicious executable.

That hidden executable was decoded using the XOR key “ectb” to reveal a Windows x64 loader, which then decrypted further resources using the key “fywo” to unpack a PyArmor 8-protected Python 3.14 payload.

The final payload was a full remote access trojan framework written in Python. It used RSA-OAEP and AES-GCM encryption to communicate with its command-and-control servers, supported dead drop resolvers through platforms including Telegraph, Rentry, Codeberg, and onion addresses, and used RC4 encryption with the key “Chahgh4a” to decode live C2 URLs. The trojan hosted itself under pythonw.exe and gave attackers the ability to push and execute arbitrary Python code on any infected machine at will.

What Affected Users Should Do Now

The most critical piece of advice from jdownloader.org is clear: if you downloaded and ran one of the affected installers, perform a full clean reinstall of your operating system. Antivirus scans may catch some threats, but they cannot guarantee removal of every persistence mechanism the malware may have established.

Several users who ran full scans with tools including Malwarebytes and Windows Defender Offline found no detections, which suggests the malware is capable of hiding its presence effectively on compromised systems.

If you still have the downloaded file and have not run it, do not execute it. Instead, verify the digital signature by right-clicking the file, going to Properties, and checking the Digital Signatures tab.

Genuine JDownloader installers are signed by AppWork GmbH. Any unknown publisher or a missing signature is a strong red flag. Until you are confident your system is clean, avoid logging into sensitive accounts from the affected machine and change all important passwords from a separate, trusted device.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.