← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus
Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.
Indicators of Compromise (7 / 32 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| FileHash-SHA1 | 1d30baa0c45398fcf82329082cf913ef71cc4d55 | SHA1 of 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 | 2026-05-22 | |
| FileHash-SHA1 | 32ccc3a9ec317ab31b0e1d42a5ff396462e0c565 | SHA1 of 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 | 2026-05-22 | |
| FileHash-SHA1 | 4c30ffc8c7e639274ffed4af3f9fa75edf261378 | SHA1 of 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a | 2026-05-22 | |
| FileHash-SHA1 | 4c4a33b79ddb8aef09436f73aa9a68ba30afb270 | SHA1 of 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 | 2026-05-22 | |
| FileHash-SHA1 | 6839bd5a42338c41e81bb9aff8c4ed853d93801e | SHA1 of 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af | 2026-05-22 | |
| FileHash-SHA1 | e5ac58f956fc17d07435c311fdedcd9885fbb09d | SHA1 of 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 | 2026-05-22 | |
| FileHash-SHA1 | fdc6bf26f63e6b3d29da21291c8de62afa32b6c3 | SHA1 of bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab | 2026-05-22 |