← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus
WHITE celestre 2026-05-22 Modified: 2026-05-22
32
IOCs
MEDIUM VOLUME
Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.
windowslinuxc dropperpyarmor botpyarmor runtimewdac cilinux payloadlinux suidc2 urlactive c2c2 ip
Indicators of Compromise (32)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 17b52e1b45a31e30f51cd1e08faa2b08 MD5 of 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 2026-05-22
FileHash-MD5 24d184508953034433173b329db6621f MD5 of 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 2026-05-22
FileHash-MD5 626803a57697acedc578e93232d9a482 MD5 of 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a 2026-05-22
FileHash-MD5 be430657cf97c5b1f3fa1abd496a4f3b MD5 of 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af 2026-05-22
FileHash-MD5 c19d686e686b6b391a4e6583bc7909fb MD5 of 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 2026-05-22
FileHash-MD5 cc1291e2d814d69344b38182be6ad8f0 MD5 of bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab 2026-05-22
FileHash-MD5 d083223cb4510c987f6458388163b551 MD5 of 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 2026-05-22
FileHash-SHA1 1d30baa0c45398fcf82329082cf913ef71cc4d55 SHA1 of 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 2026-05-22
FileHash-SHA1 32ccc3a9ec317ab31b0e1d42a5ff396462e0c565 SHA1 of 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 2026-05-22
FileHash-SHA1 4c30ffc8c7e639274ffed4af3f9fa75edf261378 SHA1 of 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a 2026-05-22
FileHash-SHA1 4c4a33b79ddb8aef09436f73aa9a68ba30afb270 SHA1 of 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 2026-05-22
FileHash-SHA1 6839bd5a42338c41e81bb9aff8c4ed853d93801e SHA1 of 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af 2026-05-22
FileHash-SHA1 e5ac58f956fc17d07435c311fdedcd9885fbb09d SHA1 of 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 2026-05-22
FileHash-SHA1 fdc6bf26f63e6b3d29da21291c8de62afa32b6c3 SHA1 of bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab 2026-05-22
FileHash-SHA256 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 2026-05-22
FileHash-SHA256 33318499489cdb82543c0bfea699b98f5928c7a360966df6e958a9cbc2eab3fe 2026-05-22
FileHash-SHA256 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 2026-05-22
FileHash-SHA256 5c887054cb1dce077943afa955db43306f66795f7cbda8233d8ba25230a23d41 2026-05-22
FileHash-SHA256 5ee86c177dc5bdba05e3bdc67b07115c66097f825fff257bf0d4a999bbb8a1ea 2026-05-22
FileHash-SHA256 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a 2026-05-22
FileHash-SHA256 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 2026-05-22
FileHash-SHA256 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af 2026-05-22
FileHash-SHA256 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 2026-05-22
FileHash-SHA256 bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab 2026-05-22
IPv4 172.96.172.91 CC=US ASN=AS23470 reliablesite.net llc 2026-05-22
IPv4 209.133.215.178 CC=US ASN=AS29802 hivelocity inc. 2026-05-22
URL http://auraguest.lk/m/douV2quu.php 2026-05-22
URL http://checkinnhotels.com/img/logo1.svg 2026-05-22
URL http://parkspringshotel.com/m/Lu6aeloo.php 2026-05-22
domain auraguest.lk 2026-05-22
domain checkinnhotels.com 2026-05-22
domain parkspringshotel.com 2026-05-22
References (1)
↗ https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack