Threats Tagged 'installer tampering'

In early May 2026, attackers compromised the official JDownloader website by manipulating specific installer download links through the content management system. Between May 6-7, 2026 (UTC), users who downloaded Windows installers via "Download Alternative Installer" links or the Linux shell installer were redirected to malicious third-party files instead of genuine installers. The attackers gained CMS-level access only, not server or filesystem control. The incident was detected on May 7 via Reddit alerts, and the server was immediately taken offline. Malicious links were removed, legitimate links restored, and security hardened before the site resumed normal operations on May 8-9. In-app updates and other download paths remained unaffected. Users who executed downloaded installers during the risk window are advised to perform clean OS reinstalls and change passwords from trusted devices.

APT37 conducted a sophisticated social engineering campaign utilizing Facebook accounts claiming locations in Pyongyang and Pyongsong, North Korea, to conduct reconnaissance and build trust with targets. After establishing relationships through Facebook Messenger, the threat actor migrated conversations to Telegram and employed pretexting tactics, claiming to share encrypted PDF documents containing military weapons information. Victims were persuaded to install a tampered Wondershare PDFelement installer that executed embedded shellcode for initial compromise. The attack chain delivered follow-on commands through a JPG-disguised payload hosted on a compromised Japanese real estate website. The malware abused Zoho WorkDrive OAuth2 APIs as C2 channels, exfiltrating screenshots, documents, system information, and audio files. The campaign employed multiple evasion techniques including code cave injection, process hollowing into legitimate dism.exe, XOR encryption layers, and fileless in-memory execution.