← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus
WHITE celestre 2026-05-22 Modified: 2026-05-22
32
IOCs
MEDIUM VOLUME
Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.
windowslinuxc dropperpyarmor botpyarmor runtimewdac cilinux payloadlinux suidc2 urlactive c2c2 ip
Indicators of Compromise (7 / 32 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 17b52e1b45a31e30f51cd1e08faa2b08 MD5 of 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 2026-05-22
FileHash-MD5 24d184508953034433173b329db6621f MD5 of 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 2026-05-22
FileHash-MD5 626803a57697acedc578e93232d9a482 MD5 of 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a 2026-05-22
FileHash-MD5 be430657cf97c5b1f3fa1abd496a4f3b MD5 of 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af 2026-05-22
FileHash-MD5 c19d686e686b6b391a4e6583bc7909fb MD5 of 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 2026-05-22
FileHash-MD5 cc1291e2d814d69344b38182be6ad8f0 MD5 of bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab 2026-05-22
FileHash-MD5 d083223cb4510c987f6458388163b551 MD5 of 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 2026-05-22
References (1)
↗ https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack