{"id":12756,"date":"2026-05-11T10:03:44","date_gmt":"2026-05-11T10:03:44","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/11\/jdownloader-downloader-hacked-to-infect-users-with-new-python-rat\/"},"modified":"2026-05-11T10:03:44","modified_gmt":"2026-05-11T10:03:44","slug":"jdownloader-downloader-hacked-to-infect-users-with-new-python-rat","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/11\/jdownloader-downloader-hacked-to-infect-users-with-new-python-rat\/","title":{"rendered":"JDownloader Downloader Hacked to Infect Users With New Python RAT"},"content":{"rendered":"<p>    JDownloader Downloader Hacked to Infect Users With New Python RAT<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>JDownloader, the popular open-source download manager trusted by millions of users worldwide, was at the center of a serious supply chain attack in early May 2026. Attackers quietly compromised the official jdownloader.org website and replaced legitimate installer download links with malicious files carrying a fully functional Python-based remote access trojan. <\/p>\n<p>Anyone who downloaded what they believed to be a standard installer during a narrow two-day window may have unknowingly installed a dangerous and persistent backdoor directly onto their machine.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The attack did not tamper with JDownloader\u2019s actual software or its in-app update system. Instead, it targeted the website\u2019s download links, specifically the \u201cDownload Alternative Installer\u201d options for Windows and the Linux shell installer link. <\/p>\n<p>Users who clicked those links between May 6th and 7th, 2026 received files that looked like the real thing but were in fact unsigned wrappers concealing a layered malicious payload. The deception was convincing enough that many users bypassed Windows SmartScreen warnings, believing the alerts to be nothing more than false positives.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><a href=\"https:\/\/jdownloader.org\/incident_8.5.2026.html?v=20260508277000\" id=\"https:\/\/jdownloader.org\/incident_8.5.2026.html?v=20260508277000\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Researchers and developers at jdownloader.org confirmed the compromise<\/a> after a Reddit user named PrinceOfNightSky flagged suspicious behavior on May 7th, 2026, noting that the downloaded executables were being attributed to publishers called \u201cZipline LLC\u201d and \u201cThe Water Team\u201d rather than the legitimate developer AppWork GmbH. <\/p>\n<p>The team took the website offline within hours, at 17:24 UTC, and began a full investigation. By the night of May 8th into May 9th, the site was restored with verified clean links after all malicious content was removed and server configurations were hardened against future abuse.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-jdownloader-downloader-hacked\">\n<strong>JDownloader Downloader Hacked<\/strong><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><br \/>\n<\/h2>\n<p>The attack was traced to an unpatched vulnerability in the website\u2019s content management system, which allowed attackers to change access control lists without authentication and modify specific pages. <\/p>\n<p>Logs revealed that the attackers even ran a dry run on a low-traffic test page on May 5th before swapping the live installer links the following day. The entire operation showed careful planning and patience, which is a hallmark of sophisticated threat actors operating with a clear intent to infect as many users as possible.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>Community researcher Takia_Gecko performed deep technical analysis of the malicious installer samples and revealed a chilling level of sophistication. The <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-signed-logitech-installer-tclbanker\/\" id=\"149498\" target=\"_blank\" rel=\"noreferrer noopener\">fake installer was an unsigned wrapper that bundled the real, legitimate JDownloader installer<\/a> alongside a second, XOR-encrypted malicious executable. <\/p>\n<p>That hidden executable was decoded using the XOR key \u201cectb\u201d to reveal a Windows x64 loader, which then decrypted further resources using the key \u201cfywo\u201d to unpack a PyArmor 8-protected Python 3.14 payload.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>The final payload was a full remote access trojan framework written in Python. It used RSA-OAEP and <a href=\"https:\/\/cybersecuritynews.com\/securing-open-banking-apis-mitigating-risks-in-third-party-integrations\/\" id=\"140883\" target=\"_blank\" rel=\"noreferrer noopener\">AES-GCM encryption to communicate with its command-and-control servers<\/a>, supported dead drop resolvers through platforms including Telegraph, Rentry, Codeberg, and onion addresses, and used RC4 encryption with the key \u201cChahgh4a\u201d to decode live C2 URLs. The trojan hosted itself under pythonw.exe and gave attackers the ability to push and execute arbitrary Python code on any infected machine at will.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 class=\"wp-block-heading\" id=\"what-affected-users-should-do-now\"><strong>What Affected Users Should Do Now<\/strong><\/h2>\n<p>The most critical piece of advice from jdownloader.org is clear: if you downloaded and ran one of the affected installers, perform a full clean reinstall of your operating system. Antivirus scans may catch some threats, but they cannot guarantee removal of every persistence mechanism the malware may have established. <\/p>\n<p>Several users who ran full scans with tools including Malwarebytes and <a href=\"https:\/\/cybersecuritynews.com\/windows-defender-enhancements\/\" id=\"106763\" target=\"_blank\" rel=\"noreferrer noopener\">Windows Defender Offline found no detections<\/a>, which suggests the malware is capable of hiding its presence effectively on compromised systems.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p>If you still have the downloaded file and have not run it, do not execute it. Instead, verify the digital signature by right-clicking the file, going to Properties, and checking the Digital Signatures tab. <\/p>\n<p>Genuine JDownloader installers are signed by AppWork GmbH. Any unknown publisher or a missing signature is a strong red flag. Until you are confident your system is clean, avoid logging into sensitive accounts from the affected machine and change all important passwords from a separate, trusted device.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA256<\/td>\n<td><code>6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af<\/code><\/td>\n<td>Malicious Linux shell installer (JDownloader2Setup_unix_nojre.sh, 7,934,496 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>fb1e3fe4d18927ff82cffb3f82a0b4ffb7280c85db5a8a8b6f6a1ac30a7e7ed9<\/code><\/td>\n<td>Malicious Windows AMD64 installer v11.0.30 (104,910,336 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>04cb9f0bca6e0e4ed30bc92726590724bf60938440b3825252657d1b3af45495<\/code><\/td>\n<td>Malicious Windows AMD64 installer v17.0.18 (101,420,032 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3<\/code><\/td>\n<td>Malicious Windows AMD64 installer v1.8.0.482 (61,749,248 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>32891c0080442bf0a0c5658ada2c3845435b4e09b114599a516248723aad7805<\/code><\/td>\n<td>Malicious Windows AMD64 installer v21.0.10 (107,124,736 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>de8b2bdfc61d63585329b8cfca2a012476b46387435410b995aeae5b502bd95e<\/code><\/td>\n<td>Malicious Windows x86 installer v11.0.29 (87,157,760 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>e4a20f746b7dd19b8d9601b884e67c8166ea9676b917adea6833b695ba13de16<\/code><\/td>\n<td>Malicious Windows x86 installer v17.0.17 (86,576,128 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>SHA256<\/td>\n<td><code>4ff7eec9e69b6008b77de1b6e5c0d18aa717f625458d80da610cb170c784e97c<\/code><\/td>\n<td>Malicious Windows x86 installer v1.8.0.472 (62,498,304 bytes)\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/e7506c77-1e16-4783-82e1-035267230249\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_1.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=8nOw77zdEZMfh8v6zEJcSvx6OrE%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/parkspringshotel[.]com\/m\/Lu6aeloo.php<\/code><\/td>\n<td>Live C2 server URL decoded via RC4 key \u201cChahgh4a\u201d\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>URL<\/td>\n<td><code>https:\/\/auraguest.lk\/m\/douV2quu[.]php<\/code><\/td>\n<td>Live C2 server URL decoded via RC4 key \u201cChahgh4a\u201d\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Registry Key<\/td>\n<td><code>HKCUSOFTWAREPython<\/code><\/td>\n<td>Persistence config staging location used by the loader\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Process<\/td>\n<td><code>pythonw.exe<\/code><\/td>\n<td>Host process for the resident Python RAT payload\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>XOR Key<\/td>\n<td><code>ectb<\/code><\/td>\n<td>Key used to decrypt malicious PE from wrapper resource\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>XOR Key<\/td>\n<td><code>fywo<\/code><\/td>\n<td>Key used to decrypt obfuscated PyArmor resources in loader\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>RC4 Key<\/td>\n<td><code>Chahgh4a<\/code><\/td>\n<td>Key used to decrypt dead drop C2 resolver content\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Publisher (Fake)<\/td>\n<td>Zipline LLC<\/td>\n<td>Fraudulent code-signing publisher observed on malicious installer\u00a0<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b6c65062-17ee-41d0-8119-39ad6bd325ff\/JDownloader-Downloader-Hacked-to-Infect-Users-With-New-Python-RAT_2.pdf?AWSAccessKeyId=ASIA2F3EMEYE2SZUL7V6&amp;Signature=k6YFdAFV5fv8Q3JaWMf%2FQXt6aPI%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEEUaCXVzLWVhc3QtMSJGMEQCIEFcNIPx%2FNTInTkXWLOdUlk7n0b45F%2FqoOItBdX5oF8zAiA48ESr8GVMxMconzvHXB6ebhLV5DXj2nDXf%2Fg0vAzExSrzBAgNEAEaDDY5OTc1MzMwOTcwNSIM%2BlEx8EOJhGzLZGetKtAEL0OhJ1s4weCKlTpj6fyipCdIBEqH8Kh5%2FaHQGcyxYLDARdeVqHwG%2FDYXmV9QXP98bCsVBEYfoAHGU7m2V6cAnTVOWxeQyQIaKMxDOW0%2F25Xhfh4f4nzkofjZI9EGMGqi06V928iZWqX0hWoKUQNpUQXUovago%2FzMn3lxRFiJiLfVsRb5QD0iiILXXZMisW5WRpk%2FHPcoEFTVCc0Av7zYonBSkvEuKFmYMshmF3V0DXKo8WyIigId6BvThgwqtf1FT7VJj08GE1AuP6pobRQfeI1IPI3OQVe1ifjo%2BuWqze3T1GkCAp%2BsQWpZnSixXCwXZvmLM7eafcerHIKU9cInqxUvrc%2FBLrkItpJrldZUQMWIMAZxDZKZiqaj1UPLanBUlXrzhDRzqsvKhrJexpbEDEglRXmsj5rTWTy5TgNBksHzwuxeNhL2hmpSE58%2ByNWQRNZegUddMwj0WTj1UK8qdTOIdnEmtcJ0RoUfAMoJ3Y1Zg9%2BSmQflBx6XfsuY7loRqd31vXtrsbk0b7C7AGRoJ0epNnn1nKq9YHufJNEGi%2FDLWIMkAD6%2BbmOvvDCS%2FTA92%2BpRulM2yLoA6BrAd%2BUp0kkMjgpZozratuysz0sXUYPBa3KMgdQfHEbKVAxSJ5gKJafSHX9YLNW5JMQx%2BOZfu6Dz%2FgN5ioi5KUJzYNTrLDZPBk4J17RTBMadiE0GGBu7EHw4UIlcAGWqGEMZMdNYcovfc1ZS%2FhDJdudxT30n3xXPC2XEqjawD3wEv1xsz5p4ieNfv5jltxUTqoRtPKcd%2FDDvroXQBjqZAZt%2FHT1jta1As%2BMKXawaDD6dG9QKA6Xrr5x%2B93qebfMF7tzm5yK81DYvRX2qMsxJFNFKBf58OowJR1L8VWHARTqvDa8B1ldx9VVyrMu%2BwVuSA3Av%2BDc3pcRePFgFl4L2xYZOppW8zVOxHie6hj%2BTlmXB3o%2FJ76cHg8uBlirbAY0LJwOMG4uf5kJWrEvVRvypc1MCeqsIVAtQJA%3D%3D&amp;Expires=1778475670\"><\/a>\n<\/td>\n<\/tr>\n<tr>\n<td>Publisher (Fake)<\/td>\n<td>The Water Team<\/td>\n<td>Second fraudulent publisher name seen on malicious installer\u00a0<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/jdownloader-downloader-hacked\/\">JDownloader Downloader Hacked to Infect Users With New Python RAT<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/jdownloader-downloader-hacked\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>JDownloader Downloader Hacked to Infect Users With New Python RAT JDownloader, the popular open-source download manager trusted by millions of users worldwide, was at the center of a serious supply chain attack in early May 2026. Attackers quietly compromised the official jdownloader.org website and replaced legitimate installer download links with malicious files carrying a fully [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-12756","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12756"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12756"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12756\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12756"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12756"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12756"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}