← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus
WHITE celestre 2026-05-22 Modified: 2026-05-22
32
IOCs
MEDIUM VOLUME
Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.
windowslinuxc dropperpyarmor botpyarmor runtimewdac cilinux payloadlinux suidc2 urlactive c2c2 ip
Indicators of Compromise (10 / 32 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 25744e90bfa44cbcbf1f3d3c3cb90dd79dd32a6e359df9d2660ff251d6d03b46 2026-05-22
FileHash-SHA256 33318499489cdb82543c0bfea699b98f5928c7a360966df6e958a9cbc2eab3fe 2026-05-22
FileHash-SHA256 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 2026-05-22
FileHash-SHA256 5c887054cb1dce077943afa955db43306f66795f7cbda8233d8ba25230a23d41 2026-05-22
FileHash-SHA256 5ee86c177dc5bdba05e3bdc67b07115c66097f825fff257bf0d4a999bbb8a1ea 2026-05-22
FileHash-SHA256 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a 2026-05-22
FileHash-SHA256 6550672cac21e036882921dd934ee06552dc74d3b0a9e1ddc26f952855e11371 2026-05-22
FileHash-SHA256 6d975c05ef7a164707fa359284a31bfe0b1681fe0319819cb9e2c4eec2a1a8af 2026-05-22
FileHash-SHA256 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 2026-05-22
FileHash-SHA256 bf47585bd0b39f0731f044b37a95eb7e311ad31b23b50306a113a3aa777dbfab 2026-05-22
References (1)
↗ https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack