- Attackers exploited a CMS flaw to replace Windows and Linux installation links with malware-laden versions between May 6 and 7, 2026.
- The poisoned installers deployed a Python-based RAT via a loader, while other distribution channels (macOS, JAR, Snap, etc.) remained safe.
- AppWork recommends verifying digital signatures (“AppWork GmbH”) to avoid manipulated builds; the site has since been secured
Recently, popular download manager JDownloader had its website hacked and hijacked to deploy malware for Windows and Linux users.
As the owner AppWork explained, unidentified attackers found a vulnerability in the website’s content management system (CMS) and used it to change the download links to a couple of variants:
“The changes were made through the website’s content management system, affecting published pages and links,” AppWork said in its incident report. “The attacker did not gain access to the underlying server stack; in particular, he did not have access to the host file system or broader operating system-level control beyond web content managed by the CMS.”
Checking the digital signature
Anyone who clicked on the Windows installer alternative download links, or the Linux shell installer link, between May 6 and 7, 2026, was redirected to a third-party server hosting a malicious version of the software. This version was poisoned to include a loader that implemented a heavily obfuscated Python-built Remote Access Trojan (RAT).
Other downloads, including in-app updates, macOS downloads, Flatpak packages, Winget, Snap, and the main JDownloader JAR package were not tampered with, AppWork confirmed.
He also said that the best way to ensure you are using the correct installer is to verify its digital signature. This can be done by right-clicking on the executable, navigating to Properties, and then to the Digital Signatures tab. The program must prove that it is signed by “AppWork GmbH”, otherwise it is definitely malware.
On Reddit, users who downloaded the tainted versions saw the developer listed as “Zipline LLC” and “The Water Team.” Fortunately, Windows Defender marked the program as malicious, protecting users.
The website was temporarily shut down, allowing the company to plug the hole and clean up the links.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
