← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version, or Plain & Simple if you are not a tech person.
Analyst
Executive
Plain & Simple
Executive Summary
Between May 6-7, 2026, attackers compromised the official JDownloader website by exploiting an unauthenticated CMS vulnerability, silently replacing legitimate Windows and Linux installers with a Python-based remote access trojan (RAT). Any user who downloaded JDownloader during that window received malware that grants attackers full remote control of their machine. Organizations affected by this incident recommend complete OS reinstallation, making this a high-impact incident for any organization whose staff downloaded JDownloader during the exposure window.
Plain & Simple
Here’s what you need to know.
No jargon. Just the basics.
👤
Are you affected?
Yes, if you downloaded JDownloader on May 6 or 7, 2026, you may have installed malware without knowing.
🔓
What got out
Suspected: files and passwords stored on your computer
Suspected: anything you typed or opened after installing
Suspected: access to other accounts logged in on that device
✅
Do this now
1 Stop using the affected computer for anything sensitive until it is wiped and set up fresh. 2 Change passwords for any accounts you used on that computer, starting with email and banking. 3 Ask a trusted person or repair shop to wipe the computer completely and reinstall the operating system.
👀
Watch for these
Unexpected logins to your email or bank from places you do not recognize.
Strange messages sent from your accounts that you did not write.
New accounts or charges you did not create.
🌱
Should you worry?
If you did not download JDownloader on May 6 or 7, you are not affected by this. If you did, the risk is serious, a full wipe is the only safe fix, but acting quickly limits the damage.
Want more detail? Switch to the full analyst view →
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unknown — unattributed; possible overlap with CPUID and DAEMON Tools compromises based on TTP similarity
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
JDownloader Windows alternative installer and Linux shell installer, AppWork GmbH; C2 infrastructure: parkspringshotel[.]com, auraguest[.]lk, checkinnhotels[.]com
Are You Exposed?
⚠
Your industry is targeted by Unknown — unattributed; possible overlap with CPUID and DAEMON Tools compromises based on TTP similarity → Heightened risk
⚠
You use products/services from JDownloader Windows alternative installer and Linux shell installer → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
Any employee who downloaded JDownloader during the May 6–7 window effectively handed attackers full control of their workstation, including access to corporate credentials, files, VPN sessions, and internal systems reachable from that machine. Full OS reinstallation — not just malware removal — is required, meaning affected machines are operationally lost until rebuilt, with associated downtime and IT labor costs. If an affected machine had access to sensitive data or privileged network segments, organizations face potential data exfiltration, lateral movement, and regulatory notification obligations.
You Are Affected If
A user in your organization downloaded JDownloader from the official website (jdownloader.org) between May 6–7, 2026 using the Windows alternative installer or the Linux shell installer
The downloaded installer was executed on a Windows or Linux endpoint in your environment
The affected host had network access to internal resources, corporate credentials, or sensitive data stores at time of compromise
Outbound DNS or HTTP/S connections to parkspringshotel[.]com, auraguest[.]lk, or checkinnhotels[.]com are present in your logs
Your software download policy does not enforce installer hash verification before execution
Board Talking Points
The official JDownloader download site was weaponized for roughly 24 hours, meaning any employee who downloaded the software during that window received malware that gives attackers full control of their computer.
IT should immediately identify and rebuild any affected machines, rotate credentials from those systems, and block the attacker's known communication addresses — this week.
Organizations that do not act risk ongoing attacker access to internal systems from compromised machines, with potential for data theft, ransomware staging, or further network intrusion.
Technical Analysis
Threat actors exploited an unauthenticated access control flaw (CWE-284) in JDownloader's CMS to modify download links without requiring server-level access.
Legitimate Windows alternative and Linux shell installers were replaced with heavily obfuscated payloads delivering a Python-based remote access trojan (RAT).
The RAT provides full remote code execution (RCE) across both platforms and communicates with C2 infrastructure at parkspringshotel[.]com, auraguest[.]lk, and checkinnhotels[.]com.
No CVE has been assigned. CWE mapping: CWE-284 (unauthenticated CMS access), CWE-494 (download without integrity check). MITRE ATT&CK coverage includes T1195.002 (Compromise Software Supply Chain), T1059.006 (Python execution), T1071.001 (C2 over HTTP/S), T1027 (obfuscation), T1036.005 (masquerading), T1543.002 (systemd service persistence on Linux), T1546.004 (Unix shell profile persistence), T1548.001 (setuid/setgid abuse), T1608.001 (staged payload), and T1132 (data encoding). No patch exists; the attack vector was the distribution channel itself, not the application binary. Full OS reinstallation is required per guidance from incident response analysts. Installer integrity verification was absent, which allowed the substitution to go undetected. No CVSS vector available; severity is editorial based on supply chain scope and required OS reinstallation. Threat actor attribution is unknown.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to executive leadership, legal counsel, and potentially relevant data protection authorities immediately if forensic analysis confirms the Python RAT achieved persistent access to hosts storing PII, PHI, financial data, or credentials with access to regulated systems, or if more than 10 internal hosts are confirmed compromised, triggering breach notification assessment under applicable regulations (GDPR 72-hour window, HIPAA 60-day window, state breach notification laws).
1
Containment: Immediately block outbound connections to parkspringshotel[.]com, auraguest[.]lk, and checkinnhotels[.]com at the perimeter firewall and DNS resolver. Isolate any host that installed JDownloader between May 6-7, 2026 from the network pending investigation.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST SI-3 (Malicious Code Protection)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 4.5 (Implement and Manage a Firewall on End-User Devices)
Compensating Control
On Windows hosts, run: netsh advfirewall firewall add rule name='Block JDL C2' dir=out action=block remoteip=<resolved IPs for parkspringshotel.com, auraguest.lk, checkinnhotels.com>. On Linux hosts: iptables -A OUTPUT -d <resolved C2 IPs> -j DROP. Block at DNS resolver by adding NXDOMAIN responses for all three C2 FQDNs in /etc/hosts (Windows: C:\Windows\System32\drivers\etc\hosts) pointing to 0.0.0.0. Resolve current IPs using: for d in parkspringshotel.com auraguest.lk checkinnhotels.com; do dig +short $d; done — capture before blocking. Physically unplug network cable or disable Wi-Fi adapter on suspected hosts pending triage.
Preserve Evidence
Before isolating, capture a full memory image using WinPmem (Windows) or LiME kernel module (Linux) to preserve the live RAT process tree and any in-memory Python bytecode or C2 connection state. Run netstat -anop (Linux) or netstat -ano (Windows) and record all ESTABLISHED/TIME_WAIT connections to the three C2 domains. On Linux, run ss -tulnp and lsof -i to capture open sockets tied to the Python RAT process. Capture DNS cache: ipconfig /displaydns (Windows) or journalctl -u systemd-resolved (Linux) to confirm C2 resolution history. Document exact JDownloader installation timestamp from file system metadata: stat ~/.local/share/applications/JDownloader* (Linux) or dir /T:C 'C:\Users\*\AppData\Local\JDownloader*' (Windows).
2
Detection: Query EDR and endpoint logs for Python interpreter execution spawned from a JDownloader installer process, new systemd services or cron entries created around May 6-7, 2026, and outbound DNS/HTTP connections to the three identified C2 domains. Search SIEM for T1059.006 (Python script execution) events on hosts where JDownloader was recently installed. Check file integrity on Linux systems for modified shell profile files (~/.bashrc, ~/.profile, /etc/profile.d/) consistent with T1546.004.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Windows (no EDR): Deploy Sysmon with SwiftOnSecurity config; query the Microsoft-Windows-Sysmon/Operational log for Event ID 1 (Process Create) where ParentImage contains 'JDownloader' and Image ends in 'python.exe' or 'pythonw.exe'. PowerShell: Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {$_.Message -match 'python' -and $_.Message -match 'JDownloader'}. Linux (no EDR): Run find /etc/systemd/system /etc/cron* /var/spool/cron -newer /tmp/ref_date -ls (create ref_date with touch -t 202605060000 /tmp/ref_date) to surface new persistence entries. Check modified shell profiles: find /home -name '.bashrc' -o -name '.profile' -newer /tmp/ref_date | xargs grep -l 'python\|http\|curl\|wget'. Use osquery: SELECT * FROM processes WHERE name LIKE '%python%' AND parent IN (SELECT pid FROM processes WHERE name LIKE '%JDownloader%'). Apply Sigma rule for T1059.006 against syslog or auditd logs. Use Wireshark or tcpdump -i any -w capture.pcap 'host parkspringshotel.com or host auraguest.lk or host checkinnhotels.com' to capture live C2 traffic on suspected hosts.
Preserve Evidence
Query Windows Security Event Log for Event ID 4688 (Process Creation) filtering on python.exe or pythonw.exe where the Creator Process Name includes the JDownloader install path (typically C:\Users\<user>\AppData\Local\JDownloader2\). On Linux, review auditd logs (/var/log/audit/audit.log) for execve syscalls with argv containing python initiated from JDownloader install directories (/opt/JDownloader or ~/JDownloader2/). Capture crontab -l for all users and diff against known-good baselines; list /etc/systemd/system/*.service files with creation timestamps in the May 6–7 window. Collect ~/.bashrc, ~/.profile, and all files under /etc/profile.d/ and hash them (sha256sum) for comparison against pre-compromise state or fresh install reference. Review web proxy or DNS logs for queries to parkspringshotel[.]com, auraguest[.]lk, and checkinnhotels[.]com originating from any internal host.
3
Eradication: For confirmed compromised hosts, perform full OS reinstallation as recommended by incident response best practices. Do not attempt to remove only the RAT - the modular design and interconnected persistence mechanisms mean partial removal will leave attacker footholds in place. Re-download JDownloader only from the official source after confirming the site has been remediated and verify installer hash against the vendor's published checksums.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-6 (Configuration Settings)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 2.3 (Address Unauthorized Software)
Compensating Control
Before wiping, use WinPmem or LiME to take a final forensic image for evidence preservation (NIST 800-61r3 §3.3 evidence retention). Boot from a trusted USB OS image (e.g., System Rescue CD or Windows PE) to perform the reinstall, bypassing any bootkit persistence the modular RAT may have installed. Post-reinstall, verify the JDownloader installer hash before execution: Windows: certutil -hashfile JDownloader2Setup_x64.exe SHA256 and compare against AppWork GmbH's published checksum on their official site. Linux: sha256sum JD2_Setup_x64.sh and compare. If AppWork has not published new checksums, delay reinstallation of JDownloader until confirmed. Use a clean OS image from vendor media — do not restore from a backup taken after May 6, 2026.
Preserve Evidence
Before wiping, preserve: full disk image using dc3dd or FTK Imager for forensic retention; a copy of all Python scripts dropped by the installer (search for .py files in %TEMP%, %APPDATA%, /tmp, /var/tmp, ~/.config, and the JDownloader install directory); any compiled Python artifacts (.pyc) that reveal RAT module names and C2 communication logic; the original trojanized installer binary (preserve hash and binary for malware analysis and law enforcement if needed); all persistence artifacts (malicious systemd .service files, cron entries, modified shell profiles) before overwriting the disk. Document the full file tree of the JDownloader install directory with timestamps using: find /opt/JDownloader2 -type f -printf '%T+ %p\n' | sort (Linux) or dir /S /T:C 'C:\Users\<user>\AppData\Local\JDownloader2' (Windows).
4
Recovery: After reinstallation, verify no persistence mechanisms remain by reviewing scheduled tasks, startup entries, systemd services, and shell profiles on rebuilt hosts. Monitor rebuilt systems for 30 days for anomalous outbound connections. Rotate credentials stored on or accessible from any affected host, including saved browser credentials and SSH keys.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST AC-2 (Account Management)
NIST IA-5 (Authenticator Management)
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 5.3 (Disable Dormant Accounts)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
Post-reinstall persistence verification: Windows: schtasks /query /fo LIST /v | findstr /i 'python\|JDownloader' and Get-ChildItem HKCU:\Software\Microsoft\Windows\CurrentVersion\Run,HKLM:\Software\Microsoft\Windows\CurrentVersion\Run | Select-Object -ExpandProperty Property. Linux: systemctl list-units --type=service --state=enabled | grep -v 'standard-package-name' and crontab -l for each user account. For credential rotation, enumerate all SSH keys on compromised hosts: find / -name 'id_rsa' -o -name 'id_ed25519' 2>/dev/null and revoke any keys whose public counterpart appears in remote authorized_keys files. Export and review Chrome/Firefox saved passwords from the compromised profile directory before wiping — if credentials were stored, treat all associated accounts as compromised. Use Sysmon Event ID 3 (Network Connection) on rebuilt hosts for 30 days, alerting on any outbound connection to the three C2 domains or any Python process making outbound HTTP/HTTPS connections.
Preserve Evidence
Before declaring recovery complete, document: output of schtasks /query (Windows) and systemctl list-units (Linux) from the rebuilt host as a clean baseline; SHA256 hashes of newly installed JDownloader binaries from the official post-remediation source; list of all credentials rotated (account names, systems — not passwords) as an audit trail per NIST AU-11 (Audit Record Retention) requirements; network flow logs or firewall logs from the 30-day monitoring window showing zero egress to the three C2 domains. Capture browser credential store locations on rebuilt hosts to confirm no credential data was migrated from the compromised profile: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data (Windows) or ~/.config/google-chrome/Default/Login Data (Linux).
5
Post-Incident: This attack exploited the absence of installer integrity verification (CWE-494). Implement software download policies requiring hash verification before execution of any installer. Evaluate whether your software allowlisting policy covers third-party download tools. Review CMS and web infrastructure for similar unauthenticated modification vulnerabilities across your managed or vendor-hosted properties.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST RA-3 (Risk Assessment)
NIST CM-6 (Configuration Settings)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
Compensating Control
Implement installer hash verification via policy: create a one-page SOP requiring analysts to run certutil -hashfile <installer.exe> SHA256 (Windows) or sha256sum <installer.sh> (Linux) and compare against the vendor's official checksum page before any installer is executed — enforce via change management ticket requirement. For software allowlisting without budget: configure Windows Software Restriction Policies (SRP) or AppLocker free tier to block execution of unsigned Python interpreters from user-writable directories (%TEMP%, %APPDATA%, Downloads). On Linux, implement a simple pre-execution wrapper script that calls sha256sum and aborts if the hash is not in a local trusted-hashes file. Audit all managed CMS platforms (WordPress, Joomla, Drupal, etc.) for unauthenticated file modification vulnerabilities using WPScan (free) or equivalent; schedule quarterly reviews. Add JDownloader and similar third-party download utilities to your software inventory per CIS 2.1 and formally evaluate whether they are authorized.
Preserve Evidence
Compile and preserve the full incident timeline documenting: first confirmed trojanized download timestamp (May 6, 2026), C2 domain registration and hosting metadata (WHOIS/passive DNS for parkspringshotel[.]com, auraguest[.]lk, checkinnhotels[.]com), the CMS vulnerability class exploited by attackers to replace the AppWork GmbH installers (document the specific CMS and vulnerability type once disclosed by AppWork), MITRE ATT&CK technique coverage gaps identified (T1059.006, T1546.004, T1195.002 — Supply Chain Compromise), and a list of all internal hosts that downloaded JDownloader during the May 6–7 window sourced from proxy/DNS logs. This evidence package supports lessons-learned review, potential law enforcement referral, and regulatory breach notification assessment if PII was accessible on compromised hosts.
Recovery Guidance
Reinstall only from clean OS media — do not restore from any backup image created after May 6, 2026, as backups may contain the trojanized JDownloader installer or active RAT persistence. After rebuilding, monitor all egress traffic from recovered hosts for a minimum of 30 days using firewall logs or Sysmon Event ID 3 (Network Connection), specifically alerting on any Python process initiating outbound connections or any DNS resolution of the three identified C2 domains. Treat any SSH key, browser-saved credential, or API token accessible from a confirmed compromised host as fully compromised and rotate before restoring the host to production use.
Key Forensic Artifacts
Trojanized JDownloader installer binary: preserve SHA256 hash and binary image from any host that received the May 6–7 download; compare hash against AppWork GmbH's pre-compromise installer hash to confirm tampering (T1195.002 — Supply Chain Compromise artifact).
Dropped Python RAT modules: search for .py and .pyc files in %TEMP%, %APPDATA%\Local, %APPDATA%\Roaming (Windows) and /tmp, /var/tmp, ~/.config, ~/.local/share, and the JDownloader install directory (Linux) — these files contain the modular RAT components and C2 communication logic.
Persistence artifacts specific to this RAT: malicious systemd .service files in /etc/systemd/system/ or ~/.config/systemd/user/ with creation timestamps in the May 6–7 window (Linux); modified ~/.bashrc, ~/.profile, or /etc/profile.d/*.sh files containing Python launcher stubs (T1546.004); Windows Registry Run keys or Scheduled Tasks referencing Python executables from non-standard paths.
Network forensics: PCAP captures or firewall/proxy logs showing HTTP or HTTPS C2 beaconing to parkspringshotel[.]com, auraguest[.]lk, or checkinnhotels[.]com — capture full URI paths and User-Agent strings from the RAT's C2 communication to characterize protocol and beacon interval.
Memory forensic image (WinPmem/LiME): live memory from an actively infected host will contain the Python RAT process in-memory with decrypted C2 configuration, active network socket handles, and any in-memory command execution results — critical for recovering C2 configuration that may not be present on disk.
Detection Guidance
Primary IOCs: outbound connections to parkspringshotel[.]com, auraguest[.]lk, or checkinnhotels[.]com.
Query DNS logs and proxy logs for any resolution or HTTP/S request to these domains.
In EDR telemetry, look for Python processes (python.exe on Windows, python3 on Linux) spawned by or shortly after a JDownloader installer execution between May 6-7, 2026.
On Linux, inspect /etc/systemd/system/ and user-level systemd unit directories for services created in that window (T1543.002 ). Check shell initialization files for appended entries (T1546.004 ). On Windows, review scheduled tasks and registry run keys for Python-based persistence entries. Behavioral indicators include: obfuscated Python script execution, encoded outbound payloads (T1132 ), and privilege escalation attempts via setuid binaries (T1548.001 ). YARA or file scanning should target heavily obfuscated Python scripts in temp or installer staging directories. Note: IOC confidence is based on reporting from secondary sources; if additional C2 infrastructure is identified, update firewall and DNS blocking rules accordingly.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
3 domains
Type Value Enrichment Context Conf.
⌘ DOMAIN
parkspringshotel[.]com
VT
US
Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers
HIGH
⌘ DOMAIN
auraguest[.]lk
VT
US
Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers
HIGH
⌘ DOMAIN
checkinnhotels[.]com
VT
US
Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers
HIGH
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
3 domain indicator(s). Detects DNS lookups and connections.
KQL Query Preview
Read-only — detection query only
// Threat: JDownloader Supply Chain Compromise Deploys Modular Python RAT Across Windows an
let malicious_domains = dynamic(["parkspringshotel.com", "auraguest.lk", "checkinnhotels.com"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_domains)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP, RemotePort,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Falcon API IOC Import Payload (3 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "parkspringshotel[.]com",
"source": "SCC Threat Intel",
"description": "Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
},
{
"type": "domain",
"value": "auraguest[.]lk",
"source": "SCC Threat Intel",
"description": "Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
},
{
"type": "domain",
"value": "checkinnhotels[.]com",
"source": "SCC Threat Intel",
"description": "Identified C2 infrastructure for the Python RAT delivered via compromised JDownloader installers",
"severity": "high",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-09T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["parkspringshotel[.]com", "auraguest[.]lk", "checkinnhotels[.]com"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1546.004
T1071.001
T1548.001
T1036.005
T1059.006
T1543.002
+4
CM-7
SA-9
SR-3
SI-7
SI-3
SI-4
+3
MITRE ATT&CK Mapping
T1546.004
Unix Shell Configuration Modification
privilege-escalation
T1548.001
Setuid and Setgid
privilege-escalation
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1608.001
Upload Malware
resource-development
T1132
Data Encoding
command-and-control
T1195.002
Compromise Software Supply Chain
initial-access
T1027
Obfuscated Files or Information
defense-evasion
Guidance Disclaimer
