← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus
WHITE celestre 2026-05-22 Modified: 2026-05-22
32
IOCs
MEDIUM VOLUME
Attackers replaced selected official download links with malicious installers that deployed a Python bot, r77 rootkit components, and Windows policy-based defense evasion. On May 6, 2026, attackers compromised the official JDownloader website and swapped download links to serve trojanized installers. The JDownloader developers confirmed the breach within hours, restored clean files, and disclosed a timeline, but acknowledged they didn't know what the malicious installers actually do. We took the malware apart to answer that question.
windowslinuxc dropperpyarmor botpyarmor runtimewdac cilinux payloadlinux suidc2 urlactive c2c2 ip
Indicators of Compromise (2 / 32 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain
TYPEINDICATORDESCRIPTIONCREATED
IPv4 172.96.172.91 CC=US ASN=AS23470 reliablesite.net llc 2026-05-22
IPv4 209.133.215.178 CC=US ASN=AS29802 hivelocity inc. 2026-05-22
References (1)
↗ https://www.gendigital.com/blog/insights/research/inside-the-jdownloader-supply-chain-attack