Back to Intelligence

JDownloader Supply Chain Compromise: Python RAT Detection and Incident Response

SA
Security Arsenal Team
May 9, 2026
6 min read

The official download portal for JDownloader, a popular file download manager with millions of users, was compromised earlier this week in a classic supply-chain attack. Threat actors replaced legitimate Windows and Linux installers with malicious variants. On Windows, the compromised installer deploys a Python-based Remote Access Trojan (RAT), while the Linux variant drops a malicious shell script.

For defenders, this represents a high-risk event. Users explicitly bypassing security warnings to install "trusted" software from a legitimate vendor website are being infected. The payload—a Python RAT packaged with PyInstaller—provides attackers with full remote control, including the ability to exfiltrate data, deploy additional payloads, and move laterally. Immediate action is required to identify systems that executed the installer during the compromise window and to eradicate the Python-based persistence mechanisms.

Technical Analysis

  • Affected Products: JDownloader (Windows and Linux installers).
  • Threat Type: Supply Chain Compromise / Trojanized Software.
  • Payload (Windows): Python-based RAT packaged as a Windows executable using PyInstaller.
  • Payload (Linux): Malicious shell script replacing the standard installer.
  • Attack Vector: Users downloading the installer from the official jdownloader.org domain during the compromise window. The malicious executable mimics the legitimate installation process while covertly executing the RAT in the background.
  • Execution Flow:
    1. User downloads JDownloaderInstaller.exe (or Linux equivalent) from the official site.
    2. User executes the file.
    3. Windows: PyInstaller extracts a compiled Python bytecode environment into a temporary directory (e.g., %TEMP%\_MEIxxxxx). A Python process (python.exe or pythonw.exe) is spawned from this non-standard path to establish a C2 channel.
    4. Linux: The executed script performs malicious actions instead of the intended installation.
  • Exploitation Status: Confirmed active exploitation. The malicious installers were hosted on the legitimate vendor domain, bypassing standard reputation-based allowlisting.

Detection & Response

Since the malware relies on a Python environment extracted from a PyInstaller wrapper, standard signature-based detection may struggle if the binaries are obfuscated. We must focus on behavioral anomalies: specifically, Python binaries executing from temporary or user directories rather than a standard installation path.

Sigma Rules

The following rules target the behavioral indicators of the Python RAT payload on Windows.

YAML
---
title: Suspicious Python Execution from Temp Directory
id: 8a4b2c10-9e3d-4f1a-9b5c-2d1e3f4a5b6c
status: experimental
description: Detects python.exe or pythonw.exe running from a temporary directory or AppData local temp, characteristic of PyInstaller malware like the JDownloader RAT.
references:
 - https://attack.mitre.org/techniques/T1059/006/
author: Security Arsenal
date: 2025/02/20
tags:
 - attack.execution
 - attack.t1059.006
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|endswith:
     - '\python.exe'
     - '\pythonw.exe'
   Image|contains:
     - '\AppData\Local\Temp\'
     - '\Temp\'
 condition: selection
falsepositives:
 - Legitimate developers running scripts from temp (rare)
level: high
---
title: Network Connection Initiated by Python Process
id: 1b5c3d21-0f4e-5a2b-0c6d-3e2f4a5b6c7d
status: experimental
description: Detects python.exe or pythonw.exe initiating outbound network connections, potentially indicating C2 beaconing from the JDownloader RAT.
references:
 - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2025/02/20
tags:
 - attack.command_and_control
 - attack.t1071
logsource:
 category: network_connection
 product: windows
detection:
 selection:
   Image|endswith:
     - '\python.exe'
     - '\pythonw.exe'
   Initiated: 'true'
 condition: selection
falsepositives:
 - Legitimate python applications accessing the internet
level: medium

KQL (Microsoft Sentinel / Defender)

Use this query to hunt for Python processes spawned by parent processes associated with installers or browsers, specifically originating from suspicious paths.

KQL — Microsoft Sentinel / Defender
// Hunt for Python execution from non-standard paths (Temp/Downloads)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("python.exe", "pythonw.exe")
| where FolderPath contains @"\Temp\" or FolderPath contains @"\Downloads\"
| extend ParentProcess = InitiatingProcessFileName, ParentPath = InitiatingProcessFolderPath
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, ParentProcess, ParentPath
| order by Timestamp desc

Velociraptor VQL

This artifact hunts for the specific behavior of PyInstaller-extracted Python processes on the endpoint.

VQL — Velociraptor
-- Hunt for Python processes running from Temp or User Profile paths
SELECT Pid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name =~ "python"
  AND (
     Exe =~ "C:\\Users\\.*\\AppData\\Local\\Temp\\.*" OR
     Exe =~ "C:\\Users\\.*\\Downloads\\.*" OR
     Exe =~ "/tmp/" OR
     Exe =~ "/home/.*/Downloads/.*"
  )

Remediation Script

Action: Run this script on endpoints suspected of downloading JDownloader recently. It checks the Downloads and Temp directories for unsigned Python binaries or suspicious installers.

PowerShell
# PowerShell: Hunt for PyInstaller artifacts in JDownloader context
# Check Downloads and Temp for suspicious Python binaries
Write-Host "[+] Hunting for Python RAT artifacts..." -ForegroundColor Cyan

$pathsToScan = @(
    "$env:USERPROFILE\Downloads",
    "$env:TEMP"
)

$suspiciousHashes = @{} # Add known bad hashes here if available

foreach ($path in $pathsToScan) {
    if (Test-Path $path) {
        Write-Host "[+] Scanning $path..." -ForegroundColor Yellow
        
        # Look for python.exe or pythonw.exe in user spaces
        Get-ChildItem -Path $path -Recurse -Filter "python*.exe" -ErrorAction SilentlyContinue | ForEach-Object {
            $file = $_
            $sig = Get-AuthenticodeSignature $file.FullName
            
            if ($sig.Status -ne "Valid") {
                Write-Host "[!] ALERT: Unsigned Python binary found: $($file.FullName)" -ForegroundColor Red
                # Calculate hash for IOCs
                $hash = Get-FileHash -Path $file.FullName -Algorithm SHA256
                Write-Host "    SHA256: $($hash.Hash)" -ForegroundColor Gray
            }
        }

        # Look for JDownloader installers (generic check)
        Get-ChildItem -Path $path -Filter "JDownloader*.exe" -ErrorAction SilentlyContinue | ForEach-Object {
             Write-Host "[*] Found JDownloader Installer: $($_.FullName)" -ForegroundColor Cyan
        }
    }
}

# Linux: Bash script to check for suspicious installer remnants
# Execute on Linux endpoints where JDownloader might have been run

# Define paths to check
DOWNLOADS_DIR="$HOME/Downloads"
TEMP_DIR="/tmp"

echo "[+] Checking for suspicious JDownloader installer remnants..."

# Check for malicious shell scripts or recent Python binaries in temp
find "$TEMP_DIR" -name "*.sh" -mtime -1 -ls 2>/dev/null
find "$DOWNLOADS_DIR" -name "JDownloader*" -ls 2>/dev/null

# Check for running python processes from /tmp or Downloads
ps aux | grep -E "python.*(/tmp|Downloads)" | grep -v grep

Remediation

  1. Identify Impacted Systems: Use the detection logic above to identify hosts that have executed python.exe from temporary directories or downloaded the JDownloader installer in the last 48-72 hours.
  2. Quarantine Hosts: Isolate affected endpoints from the network immediately to prevent C2 communication and lateral movement.
  3. Remove Malicious Artifacts:
    • Delete the malicious installer from Downloads folders.
    • Terminate malicious python.exe / pythonw.exe processes.
    • Remove the extraction directories in %TEMP% (often named _MEIxxxxxx).
  4. Re-image or Deep Clean: Due to the nature of RATs (potential for keylogging and credential theft), the safest remediation is a re-image of the workstation. If re-imaging is not possible, a full AV/EDR scan combined with credential resets for all accounts accessed on the machine is mandatory.
  5. Verify Legitimacy of Future Downloads: JDownloader developers are actively working to clean their infrastructure. Advise users to verify the integrity of installers using file hashes provided via official trusted communication channels (e.g., verified social media or forums) before re-installing.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirjdownloadersupply-chainpython-rat

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action