Ddos 
In a sophisticated supply-chain attack, attackers compromised the official JDownloader website between May 6 and May 7, 2026. By exploiting an unpatched vulnerability in the site’s Content Management System (CMS), threat actors swapped legitimate “Alternative Installer” links for Windows and shell installer links for Linux with malicious counterparts.
The Gen Digital Threat Research Team, who disassembled the malware, noted that “what we found goes well beyond a typical trojanized installer”.
The attack chain is a meticulously designed gauntlet intended to bypass modern defenses. The initial dropper employs a “5-minute-per-call delay… designed to outlast automated sandboxes”. Once it determines the coast is clear, it deploys a five-component framework that renders the victim’s machine nearly defenseless.
The Five Deadly Components
| Component | Purpose |
| PyArmor Bot |
The primary payload using obfuscated bytecode. |
| PyArmor Runtime |
A DLL that decrypts the bot at execution time. |
| r77 Rootkit Stager |
Hides the bot’s files, processes, and registry keys. |
| WDAC CI Policy |
A “deny-list” that kills antivirus software. |
| Python Installer |
Legitimate runtime (v3.12 or v3.14) to execute the bot. |
The most operationally significant part of this attack is its use of Windows Defender Application Control (WDAC) policies. By deploying a custom policy to the system directory, the malware effectively “blinds” the operating system.
The report states that “after the next reboot, none of these executables can start. The AV service is effectively dead”. The blocklist targets 50 different security executables across major vendors, including:
- Avast & AVG
- Avira
- Windows Defender & Security Health
- HitmanPro & Kaspersky Virus Removal Tool
To remain undetected, the malware utilizes the open-source r77 rootkit. This stager hooks into Windows API functions to hide any entityβbe it a file or a registry keyβstarting with the $77 prefix. “Once r77 is active, the $77 prefix acts as an invisibility cloak,” making the bot invisible to Task Manager and standard registry editors.
Communication with Command and Control (C2) servers is equally resilient. Instead of hardcoding IP addresses, the bot uses Dead-Drop Resolvers (DDR)βlegitimate pages on sites like Telegraph and Rentryβto discover its C2 addresses. As a final fail-safe, a Domain Generation Algorithm (DGA) is included to ensure the botnet survives even if all known resolver pages are taken down.
Only users who performed a fresh download from the JDownloader website during the 24-hour compromise window (May 6β7, 2026) are at risk. In-app updates and macOS downloads remained unaffected.
Recommendations for potentially infected users:
- Check for the WDAC Policy: Look for SIPolicy.p7b in the CodeIntegrity folder; if you didn’t create it, delete it and reboot.
- Registry Indicators: Monitor for keys in HKCU\SOFTWARE\Python and HKLM\SOFTWARE\$77stager.
- The Nuclear Option: Due to the deep integration of the r77 rootkit and AMSI bypass, researchers warn that “a clean OS reinstall is the safest remediation”.
The researchers concluded that the attackers specifically targeted QloApps, an open-source hotel booking CMS, to host their C2 infrastructure, suggesting a highly organized and targeted operation.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
