Contact us
Contact us

News

About

Home Crypto News JDownloader site breach swapped installers with Python RAT

JDownloader site breach swapped installers with Python RAT

Author Whitewallet Research
Posted: 17 May 2026, 15:18 CET 2 min read

JDownloader’s website was compromised May 6–7; attackers replaced two installers with a Python remote-access Trojan.

JDownloader’s official website was compromised between May 6 and May 7. Attackers replaced the Windows “Download Alternative Installer” and the Linux shell installer with a Python-based remote access Trojan. Other download options were not altered.

AppWork GmbH, the developer of JDownloader, confirmed the breach on May 7 and took the site offline for an investigation. The site was restored on May 8–9 after security patches were applied and server configurations were hardened. AppWork published verified, clean installer links when the site returned.

Security analysis found the malicious payload inside the swapped Windows installers and the compromised Linux shell installer. The altered installers did not carry AppWork GmbH’s digital signatures. Users who downloaded installers from the official site during May 6–7 are advised to verify the signer on any installer file and to run a full system scan with an up-to-date anti-malware product.

Malwarebytes blocks domains linked to the RAT’s command-and-control activity, including parkspringhotel[.]com.

Investigators identified the entry point as an unpatched vulnerability in the site’s content management system that allowed attackers to modify access control lists without authentication. AppWork applied fixes to the CMS and changed server settings to prevent similar unauthorized changes.

The compromise was limited in scope. The macOS installer, standalone JAR files and packaged formats distributed through Flatpak, Winget and Snap were not modified during the intrusion. Users who obtained JDownloader through those channels or who updated via the program’s built-in updater during the breach window reportedly did not receive the infected files.

JDownloader is a download manager commonly used to automate downloads from file-hosting services, video sites and premium link generators. AppWork advised anyone who obtained installers from the official site on May 6 or May 7 to confirm the installer bears the AppWork GmbH signature and to scan affected systems for malware.

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE