Xubuntu Website Hacked to Distribute Malware
▼ Summary
– The Xubuntu website was compromised to serve Windows malware instead of the Linux distribution, specifically a malicious ZIP file containing a suspicious executable.
– The malware is a clipboard hijacker for Windows that installs in AppData, achieves persistence via a registry key, and swaps cryptocurrency wallet addresses to redirect funds.
– Attackers may be exploiting Windows 10’s end of support, as users seek Linux alternatives for older machines unable to run Windows 11.
– Xubuntu contributors have taken down the download page and are working with Canonical to resolve the issue, planning to replace the WordPress site with a static one.
– Clean Xubuntu downloads remain available from the official Ubuntu server, and users should verify file checksums to ensure integrity and avoid tampered images.
The official Xubuntu website, a popular community-driven Linux distribution featuring the lightweight Xfce desktop, was recently compromised to distribute harmful Windows malware. This incident highlights the persistent risks facing open-source software platforms, even those with dedicated community support. Visitors attempting to download the operating system were redirected to a malicious file instead of the expected Linux installation media.
Security discussions on Reddit first brought the issue to light over the weekend. Multiple users reported that the download section was serving a file named Xubuntu-Safe-Download.zip rather than the standard torrent files. Inside this archive were two suspicious components: an executable file called TestCompany.SafeDownloader.exe and a text document labeled tos.txt. One vigilant commenter observed that the terms of service document referenced the year 2026, which immediately raised concerns since we’re currently in 2025. Further examination revealed the executable contained no legitimate torrent data when inspected with archive tools.
Security researchers who analyzed the malicious file identified it as a clipboard hijacker specifically designed for Windows systems. The malware installs itself within an AppData subdirectory and establishes persistence through a registry startup key. Its primary function involves monitoring the system clipboard and automatically replacing cryptocurrency wallet addresses with ones controlled by the attackers. This allows the criminals to intercept and redirect digital currency transactions without the user’s knowledge.
Some security commentators speculate the attackers might be exploiting the recent end of support for Windows 10. Many users with older hardware incompatible with Windows 11 have been exploring Linux alternatives like Xubuntu, making this an opportune moment for such an attack. While the Xubuntu homepage remains intermittently accessible, most secondary pages continue to experience outages.
Xubuntu contributor Sean Davis confirmed the team’s awareness of the security breach. “We’re collaborating with Canonical’s infrastructure security team to address this situation,” Davis stated. “Since our team doesn’t directly manage the servers, our options are limited. We’ve removed the compromised download page and are accelerating our transition to a static site to replace our current WordPress installation.” The exact duration the website distributed malware remains unclear, though investigators confirm only the torrent download link was modified during the incident.
Legitimate Xubuntu downloads remain available through the official Ubuntu CD/ISO image servers. Security experts strongly recommend that users verify file checksums after downloading and compare them against the values provided by Canonical to ensure installation media hasn’t been altered. This verification step provides crucial protection against compromised or corrupted files.
(Source: HelpNet Security)
