JDownloader Website Hit by Supply-Chain Attack, Distributing Malicious Installers Between May 6 and May 7, 2026, the official JDownloader website suffered a supply-chain attack, leading to the distribution of malware-laced installers to users worldwide. Attackers exploited an unpatched vulnerability in the site’s content management system (CMS) to redirect download links for the "Download Alternative Installer" (Windows) and the Linux shell installer to malicious third-party files. The breach began on May 5, 2026, when threat actors tested their approach on a low-traffic page at 23:55 UTC before successfully altering download links on the main site at 00:01 UTC on May 6. The attack remained active until 17:06 UTC on May 7, when the JDownloader team was alerted via Reddit and took the compromised server offline for investigation at 17:24 UTC. The attackers gained access only to the CMS, allowing them to modify web content including download links without compromising the underlying server or host filesystem. Genuine JDownloader installers were unaffected; only the redirected links pointed to malicious files hosted externally. Security researcher Thomas Klemenc identified the Windows payload as a heavily obfuscated Python-based remote access trojan (RAT) with modular bot capabilities. The malware communicated with two command-and-control (C2) servers: parkspringshotel[.]com/m/Lu6aeloo.php and auraguest[.]lk/m/douV2quu.php. The malicious Windows executables were signed with spoofed certificates under the names "Zipline LLC" and "The Water Team" to appear legitimate. Analysis of the Linux installer revealed injected code that downloaded additional malware, installed a SUID-root launcher, and disguised the payload as /usr/libexec/upowerd to evade detection. Eight malicious Windows installer variants (61–107 MB) and one compromised Linux shell installer (JDownloader2Setup_unix_nojre.sh, 7,934,496 bytes) were identified, each with distinct SHA256 hashes. Other installer variants including the JAR package, in-app updates, macOS, Flatpak, Winget, and Snap packages remained unaffected. The JDownloader website was taken offline for remediation and returned on the night of May 8–9, 2026, after security checks confirmed clean installer links. The team noted that in-app updates were secure due to RSA-signed and cryptographically verified updates. Users who downloaded and executed the compromised installers during the risk window were advised to reinstall their operating systems, as the malware could execute arbitrary code and compromise credentials. Indicators of compromise, including file sizes and SHA256 hashes, were published in JDownloader’s official incident report.

macOS Users Targeted by Reaper Malware Campaign Using Fake App Downloads A new malware campaign is targeting macOS users with an updated version of the SHub Stealer, dubbed Reaper, which masquerades as trusted software brands to steal files and cryptocurrency assets. Researchers at SentinelOne first identified the threat, with Moonlock later uncovering additional details on its distribution tactics. The attack leverages a refined ClickFix technique, bypassing Apple’s recent security updates in macOS Tahoe 26.4, which restricted malicious Terminal commands. Instead of relying on Terminal, the malware uses applescript:// links to automatically open macOS Script Editor, where malicious code is hidden beneath ASCII art and excessive whitespace rendering it invisible unless manually scrolled. When executed, the script triggers a fake Apple security update prompt, tricking users into entering their system password. The campaign begins on typosquatted domains, such as mlcrosoft.co.com, impersonating legitimate software like WeChat and Miro. Once installed, Reaper checks the victim’s keyboard language shutting down if set to Russian before activating its data-stealing module, modeled after Atomic macOS Stealer (AMOS). The malware targets documents, PDFs, spreadsheets, and cryptocurrency-related files (e.g., .wallet, .keys), compressing them into 70MB ZIP chunks and exfiltrating them to a command-and-control server at hebsbsbzjsjshduxbs.xyz/gate/chunk. It also steals browser passwords (Chrome, Firefox, Edge) and crypto wallet extensions (1Password, MetaMask), while modifying desktop wallet apps (Ledger Live, Trezor Suite, Exodus) to divert funds. A fake Google Software Update directory is created to maintain persistent backdoor access. This marks the third campaign in two months using this automated distribution method, signaling an escalating threat to macOS users.

High-Severity Linux Privilege Escalation Flaw "Pack2TheRoot" Disclosed Deutsche Telekom’s Red Team has publicly disclosed a high-severity privilege escalation vulnerability, CVE-2026-41651 (CVSS 8.8), dubbed Pack2TheRoot, affecting default installations of major Linux distributions. The flaw, present in the PackageKit daemon a widely used package management abstraction layer allows any local unprivileged user to silently install or remove system packages, ultimately gaining full root access without authentication. The vulnerability impacts PackageKit versions 1.0.2 through 1.3.4, spanning over 12 years of releases and exposing systems across Debian, Ubuntu, Fedora, and Red Hat-based distributions, including enterprise servers running Cockpit. Confirmed vulnerable default installations include: - Ubuntu Desktop (18.04, 24.04.4 LTS, 26.04 LTS Beta) - Ubuntu Server (22.04, 24.04 LTS) - Debian Desktop (Trixie 13.4) - Rocky Linux Desktop (10.1) - Fedora (43 Desktop and Server) Exploitation is straightforward: an attacker with basic local access can bypass authorization controls, install malicious packages, or remove critical security components. A proof-of-concept (PoC) exists, reliably achieving root code execution in seconds, though it remains undisclosed. The flaw was discovered during Telekom Security’s research into local privilege escalation vectors, with Claude Opus (Anthropic) assisting in the investigation starting in 2025. Findings were responsibly disclosed to PackageKit maintainers, who confirmed the issue and its exploitability. While the attack leaves detectable traces such as PackageKit daemon crashes logged in *journalctl* systems can be checked for vulnerability using: - Debian/Ubuntu: `dpkg -l | grep -i packagekit` - RPM-based: `rpm -qa | grep -i packagekit` - Daemon status: `systemctl status packagekit` or `pkmon` A patch was released in PackageKit 1.3.5 (April 22, 2026), with distribution-specific fixes available via: - Debian: [security-tracker.debian.org](https://security-tracker.debian.org) - Ubuntu: Launchpad CVE tracker - Fedora: PackageKit-1.3.4-3 (via Koji) Administrators are advised to apply updates immediately, particularly on internet-facing servers running Cockpit.

LeakNet Expands Ransomware Operations with Stealthy ClickFix Lures and Deno-Based Loader Ransomware group LeakNet is scaling its operations by combining mass-market ClickFix social engineering lures with a Deno-based in-memory loader, reducing detection windows for defenders. While the group currently averages three victims per month, recent investments in its own delivery infrastructure signal an effort to increase that number. ### New Attack Vectors: ClickFix and Deno Instead of relying on initial access brokers (IABs), LeakNet now runs its own campaigns, leveraging compromised legitimate websites to host ClickFix lures fake error messages and verification pages (e.g., spoofed Cloudflare Turnstile prompts) that trick users into executing msiexec commands. This approach lowers acquisition costs, removes dependency on third-party access, and broadens the victim pool beyond pre-curated targets. Once executed, the attack chain deploys a Deno-based loader, which runs base64-encoded JavaScript/TypeScript directly in memory via data: URLs, leaving minimal disk artifacts. The loader disguised with decoy script names like Romeo.ps1 and Juliet.vbs collects host details, generates a unique victim ID, and establishes command-and-control (C2) communication through attacker-controlled infrastructure. ### Post-Exploitation Playbook Despite evolving initial access methods, LeakNet’s post-compromise behavior remains consistent, offering defenders predictable detection opportunities: - DLL Sideloading: A trojanized jli.dll is placed alongside a legitimate Java binary in C:\ProgramData\USOShared, mimicking normal Windows Update activity. - Lateral Movement: After beaconing via a repeatable URL pattern, the group uses PsExec following Kerberos ticket enumeration (klist command). - Exfiltration & C2: Malicious traffic is masked using S3 buckets and trusted cloud services, blending into expected enterprise traffic. ### Detection Opportunities Defenders are advised to monitor for: - msiexec commands spawned from browsers or Win+R dialogs. - Deno executing base64 data URLs or running outside developer environments. - java.exe loading jli.dll from C:\ProgramData\USOShared. - PsExec usage from non-admin accounts. - Unexpected outbound connections to S3 buckets or known C2 domains. ### Indicators of Compromise (IOCs) ClickFix Domains (Compromised Websites): - tools.usersway[.]net - okobojirent[.]com - apiclofront[.]com - sendtokenscf[.]com - binclloudapp[.]com Deno C2 Domains/IPs: - verify-safeguard[.]top - mshealthmetrics[.]com - cnoocim[.]com - delhedghogeggs[.]com - serialmenot[.]com - crahdhduf[.]com - 194.31.223[.]42 - 144.31.2[.]161 - 87.121.79[.]6 Sideloaded jli.dll C2 Domains: - neremedysoft[.]com - ndibstersoft[.]com - windowallclean[.]com Malicious S3 Buckets: - fastdlvrss.s3.us-east-1.amazonaws[.]com - backupdailyawss.s3.us-east-1.amazonaws[.]com

Critical React flaw (CVE-2025-55182) enables pre-auth RCE in React Server Components Affects versions 19.0–19.2.0 and frameworks like Next, React Router, Vite; patches released in 19.0.1, 19.1.2, 19.2.1 Experts warn exploitation is imminent with near 100% success rate; urgent upgrades strongly advised React is one of the most popular JavaScript libraries, which powers much of today’s internet. Researchers recently discovered a maximum-severity vulnerability. This bug could allow even the low-skilled threat actors to execute malicious code (RCE) on vulnerable instances. Earlier this week, the React team published a new security advisory detailing a pre-authentication bug in multiple versions of multiple packs, affecting React Server Components. The versions that are affected include 19.0, 19.1.0, 19.1.1, and 19.2.0, of react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. The bug is now tracked as CVE-2025-55182, and was given a severity score of 10/10 (critical). Exploitation imminent - no doubt about it Default configurations of multiple React frameworks and bundlers are also affected by this bug, it was said, including next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. Versions that have addressed the bug are 19.0.1, 19.1.2, and 19.2.1, and React urges all users to apply the fix as soon as possible. "We recommend upgrading immediately," the React team said. According to The Register, React powers almost two in five of

Cybercriminals Exploit QEMU Virtual Machines for Stealthy Ransomware and Credential Theft Attackers are increasingly abusing QEMU, a legitimate open-source virtualization tool, to conceal malicious activities including credential theft and ransomware deployment within "invisible" virtual machines (VMs). By operating entirely inside a guest VM, threat actors evade detection from endpoint security tools on the host system, leaving minimal forensic traces while maintaining persistent access. Recent campaigns tracked by Sophos STAC4713 and STAC3725 demonstrate how QEMU-based VMs are weaponized as stealth backdoors. These attacks combine hidden VMs, credential harvesting, and hypervisor-focused ransomware into a repeatable playbook, marking a shift toward more sophisticated operational tactics. ### STAC4713: QEMU as a Reverse SSH Backdoor for PayoutsKing Ransomware First observed in late 2025, the STAC4713 campaign is financially motivated and linked to the GOLD ENCOUNTER threat group, operators of PayoutsKing ransomware. Attackers deploy QEMU as a covert reverse SSH backdoor, using it to exfiltrate domain credentials before encrypting data. Key tactics include: - Scheduled task exploitation: A task named TPMProfiler launches qemu-system-x86_64.exe under the SYSTEM account, disguising the VM as a benign file (e.g., vault.db or bisrv.dll). - Alpine Linux VM: The guest VM runs a lightweight Alpine Linux image preloaded with tools like AdaptixC2, OpenSSH, WireGuard obfuscators, BusyBox, Chisel, and Rclone for tunneling, data movement, and command-and-control (C2) communication. - Lateral movement: Attackers interact with the Windows host to create shadow copies, extract Active Directory databases, and browse network shares often using legitimate tools (Notepad, Paint, Edge) to blend in. ### STAC3725: Credential Theft via QEMU and CitrixBleed Exploitation Active since early 2026, the STAC3725 campaign leverages the CitrixBleed2 vulnerability (CVE-2025-5777) in NetScaler appliances for initial access, followed by malicious ScreenConnect clients for persistence. Attackers then deploy a QEMU-based Alpine Linux VM as a dedicated attack platform for credential harvesting and Active Directory reconnaissance. Notable techniques include: - Manual toolkit installation: Inside the VM, attackers compile and deploy offensive frameworks, including Kerberos brute-forcing tools, BloodHound for AD mapping, and Metasploit. - Host-level manipulation: Registry changes weaken credential protections, while forensic tools tamper with Defender exclusions and exploit vulnerable drivers to expand access. - Evasion tactics: The VM’s isolated environment allows attackers to operate undetected, as most security agents lack visibility into guest file systems or processes. ### Broader Implications: "Bring Your Own Hypervisor" Evasion These campaigns reflect a growing trend where adversaries "bring their own hypervisor" to bypass host-based detections. Since security tools rarely inspect guest VM activity, QEMU becomes an ideal container for long-term access, credential theft, and ransomware staging. Defenders are advised to monitor for: - Unauthorized QEMU binaries or scheduled tasks running qemu-system processes as SYSTEM. - Suspicious port forwarding to SSH or virtual disk images with unusual extensions (e.g., .db, .dll, .qcow2). - Outbound SSH tunnels from non-standard ports and rogue remote management tools like ScreenConnect.

Last month, the number of ransomware attacks remained high with 659 recorded in total. This was a slight dip (-5%) from October’s total of 693. Attacks on healthcare providers declined significantly last month, dropping by 44 percent from 57 attacks in October to 32 attacks last month. In sharp contrast, businesses operating in the healthcare sector (e.g. pharmaceutical companies, medical billing providers, and healthcare tech companies) saw the biggest increase of any sector. Here, attacks rose by 43 percent (from 14 to 20). The manufacturing sector also saw yet another large increase (up 35 percent from 123 in October to 166 in November), as did the education sector (up 24 percent from 17 to 21). Qilin continued to take the top spot for the number of claims (107) but Akira (100) and Clop (94) closed in on its lead throughout November. Clop’s attacked its victims through an Oracle zero-day vulnerability exploit. Key findings for November 2025: 659 attacks in total — 38 confirmed attacks ( confirmed by the entity involved ) ) Of the 38 confirmed attacks: 22 were on businesses 10 were on government entities 2 were on healthcare companies 4 were on educational institutions Of the 621 unconfirmed attacks*: 544 were on businesses 18 were on government entities 30 were on healthcare companies 17 were on educational institutions The most prolific ransomware gangs were Qilin (107), Akira (100), and Clop (94) Qilin had the most confirmed attacks (5), followed by INC (3) an

US tech company F5 confirmed a data breach in which nation-state attackers stole the source code and vulnerability information related to its BIG-IP family of networking and security products. BIG-IP is a critical infrastructure component used by enterprises for traffic management, load balancing, and security, making this breach particularly severe. The stolen data could enable adversaries to identify and exploit undiscovered flaws in BIG-IP systems, potentially leading to supply-chain attacks, unauthorized network access, or large-scale disruptions in organizations relying on F5’s solutions. The breach underscores the escalating risks of state-sponsored cyber espionage targeting foundational IT infrastructure, with implications for global cybersecurity resilience. F5 has not disclosed whether customer data was compromised, but the theft of proprietary code and vulnerability details poses a long-term threat to its product ecosystem and the broader digital supply chain.

Russian National Linked to Conti and TrickBot Ransomware Operations Identified in Global Crackdown Germany’s Federal Criminal Police Office (BKA) has accused Russian national Vitaly Nikolaevich Kovalev—also known by the alias Stern—of leading the Conti and TrickBot (Wizard Spider) ransomware operations, following a wave of disruptions under Operation Endgame, an international law enforcement initiative targeting cybercrime. Investigations by the BKA revealed that Kovalev played a senior role in TrickBot, Ryuk, and Conti, with the TrickBot group at one point comprising over 100 members operating in a structured, profit-driven hierarchy. The exposure of TrickLeaks and ContiLeaks data earlier accelerated the dismantling of Conti, while authorities now seek information to aid in Kovalev’s arrest. He is believed to be residing in Russia, complicating extradition efforts. This development follows U.S. sanctions imposed on Kovalev over two years ago for his involvement in the same ransomware networks. The case underscores the ongoing challenges in prosecuting high-level cybercriminals operating from jurisdictions with limited cooperation.

New Crypto-Stealing Malware Targets Android and iOS Users with Advanced Evasion Tactics Researchers at Kaspersky Lab have uncovered an evolved variant of the SparkCat malware, a sophisticated cryptocurrency stealer now targeting both Android and iOS users with enhanced obfuscation techniques. The threat, actively developed by a likely Chinese- or Russian-speaking operator, employs code virtualization, cross-platform programming languages, and dead-drop command-and-control (C2) infrastructure to evade detection. ### Android Variant: Multi-Layered Espionage The Android version of SparkCat is distributed via social engineering, masquerading as cracked tools for credential checking (e.g., Netflix Hunter Combo Tool, Steam Combo Extractor). Once installed, it: - Scans for keywords in Japanese, Korean, and Chinese, indicating a focus on Asian markets. - Collects system data, running processes, installed apps, and screenshots. - Steals credentials from Chromium-based browsers, crypto wallets, email clients, messengers (Telegram, Discord), and VPN apps. - Searches photo galleries for crypto-wallet seed phrases. - Mimics legitimate traffic by using Spotify and Chess.com profiles to hide C2 communications. ### iOS Variant: Global Threat via Seed-Phrase Theft The iOS version bypasses regional targeting by scanning for English-language crypto-wallet mnemonic phrases, broadening its reach. Like its Android counterpart, it operates stealthily, extracting sensitive data while avoiding traditional detection methods. ### Dead-Drop C2 and Real-Time Taunting A key innovation is the malware’s use of dead-drop resolvers, storing C2 addresses in public profiles (e.g., Chess.com’s "about" field) to rotate infrastructure dynamically. The operators also deploy a "Rofl" panel, allowing them to: - Swap crypto-wallet addresses in the clipboard. - Disable system tools (Task Manager, cmd.exe). - Manipulate user interfaces (rotating screens, jittering cursors, locking input). - Open chat dialogs to taunt victims in real time. ### Broader Cybercrime Context The discovery coincides with other high-profile incidents: - Jonathan Spalletta (alias Cthulhon) was charged with stealing $53M from Uranium Finance (a BNB Chain DEX) in 2021, laundering funds through mixers and DEXs. - MaskGram stealer was found using Spotify and Chess.com profiles to hide C2 servers. - The European Commission confirmed a data breach after a ShinyHunters attack, though operations remained unaffected. ### Impact and Evolution SparkCat’s rapid development, cross-platform reach, and psychological manipulation tactics signal a growing threat to crypto users, gamers, and corporate targets. Its ability to blend into legitimate traffic and adapt to regional preferences underscores the sophistication of modern cybercrime operations. Researchers warn that victim numbers are expected to rise as the campaign expands.

BleepingComputer was informed by a source that Johnson Controls was the target of a ransomware campaign after being penetrated at its Asian headquarters. Since then, BleepingComputer has learned that the business was the victim of a cyberattack over the weekend, which led to the shutdown of some of its IT systems. Since that time, numerous of its affiliates, including York, Simplex, and Ruskin, have started to display technical outage alerts on website login pages and client portals. The Simplex customer portal, among other client applications, may be restricted due to ongoing IT disruptions, according to a statement posted on the Simplex website. As these disruptions are fixed, they will keep in touch with consumers while actively limiting any potential effects on our services.

German Authorities Identify Key Figure Behind REvil and GandCrab Ransomware Operations German law enforcement has linked a 31-year-old Russian national, Daniil Maksimovich Shchukin, to some of the most prolific ransomware attacks in recent years. Operating under the alias "UNKN" (or "UNKNOWN"), Shchukin is accused of leading both the GandCrab and REvil ransomware gangs, which were responsible for at least 130 cyberattacks in Germany between 2019 and 2021. The investigation, led by Germany’s Federal Criminal Police (BKA), alleges that Shchukin and another suspect, Anatoly Sergeevitsch Kravchuk, extorted nearly €2 million while causing over €35 million in economic damage. Both groups pioneered the "double extortion" tactic demanding payment for decryption keys while threatening to leak stolen data now a standard practice among ransomware gangs. ### From GandCrab to REvil: A Cybercrime Evolution The GandCrab ransomware operation emerged in 2018, leveraging an affiliate model where hackers shared profits in exchange for breaching systems. By May 2019, the group claimed earnings of $2 billion before shutting down. Shortly after, REvil appeared, widely believed to be a rebrand or successor. Under Shchukin’s leadership, REvil adopted "big-game hunting" targeting large enterprises with cyber insurance, increasing the likelihood of massive payouts. ### The Industrialization of Ransomware REvil’s operations resembled a corporate enterprise, outsourcing tasks like initial access, encryption, and money laundering to specialized actors. This underground ecosystem allowed ransomware gangs to scale rapidly, reinvest profits, and refine their tools, making attacks more sophisticated and harder to counter. ### High-Profile Attacks and Law Enforcement Crackdown REvil gained global notoriety in 2021 after the Kaseya attack, which disrupted over 1,500 businesses worldwide. The incident marked a turning point the FBI had already infiltrated REvil’s infrastructure but delayed action to avoid tipping off the group. Subsequent disruptions, including the release of a free decryption key, crippled REvil’s operations. ### Financial Trails and Unanswered Questions Shchukin’s identity surfaced in a 2023 U.S. Department of Justice filing, linking him to cryptocurrency wallets holding $317,000 in illicit funds. However, German authorities believe he remains in Russia, beyond immediate extradition reach. While the identification of a key REvil figure is a rare law enforcement victory, the ransomware ecosystem they helped build remains intact. The tactics, tools, and business models pioneered by GandCrab and REvil continue to shape modern cybercrime, underscoring the persistent threat of organized ransomware operations.