[LUG]Fwd: Malware being hosted on xubuntu.org

To: List <list@xxxxxxxxxxxxx>

Subject: [LUG]Fwd: Malware being hosted on xubuntu.org

From: zleap via list <list@xxxxxxxxxxxxx>

Date: Sun, 19 Oct 2025 08:22:30 +0100

Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx

Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1760519162; h=Cc:From:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Help:List-Id:Subject:Reply-To:Content-Type: Message-ID:References:In-Reply-To:To:Date:MIME-Version:Sender: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Archive; bh=OnnSC18CgWXPhBDC4lOYlidNsjB070F91wvqOWTIFQ8=; b=mYxneihZNbXwZNTp5Yv9diZUqX mPnSjn0VbLaU0NadS6IfgvjC1VuDDhSCeG3hI3XmrZjkqSGqn97jRJTCabK4TTlYv98M3GFtyW+IQ bmtyiE4/M+0kUvJTqS3jpxc08b+xYe5xx7toqi29ZO4yHVxiNoo4qti/OdUigLbh4MME=;

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=disroot.org; s=mail; t=1760858551; bh=XhHYWQ4AqpM/CzqobN6ysYLLILkFmB4Vdeh5RkiMOHo=; h=Date:From:To:Subject:In-Reply-To:References; b=CScUA6Xg7c3xliUiyPQVkWef9D9pV9TcePgXAg53U0RXIAfbrHIWIIHZJCePuggyz OQuacmOX1kY38DsugSxPtsOU15WnrfqTztpoDK48Des07rYiBr0Qpo5EI77wjuG4JQ ufOAwzhBoCo6HRDbBOHwiR/xXOBO16xLyiSOfDre0jwOYBmhRuXzC4VVT9qMHQGQa0 NFiM0auoV6tx8heBMfKh7y5x6bxawwSnUjaP/3TOwT9fOgU+CfsnuB4m44EUUFYBJi bc4lT+EPgm4n7cmhz8jhhgclADFoCWfUX9JgYEvTuRrTdN4F8DOsNBKex4Vi2AMkhN UW0Ked2AHALww==

Just seen this on the xubuntu mailing list so forwarding here to raise awareness.

Paul

-------- Original Message --------

Subject:	Malware being hosted on xubuntu.org
Date:	2025-10-19 03:05
From:	Aaron Rainbolt <arraybolt3@xxxxxxxxx>
To:	abuse@xxxxxxxxxxxxx, xubuntu-devel@xxxxxxxxxxxxxxxx
Reply-To:	Xubuntu Development Discussion <xubuntu-devel@xxxxxxxxxxxxxxxx>

xubuntu.org appears to have been compromised. The torrent download
links at https://xubuntu.org/download/ all point to a file named
"Xubuntu-Safe-Download.zip", which contains a malicious Windows
executable according to
https://www.virustotal.com/gui/file/0f59f553fcfac3cac07aa7986eac914be069a6dd407b2d9f761f11d3e865b4f6/detection.
A user on Reddit ran the executable in a sandbox; it appears to be
masquerading as a downloader for Xubuntu. See https://imgur.com/JpkTCzh.

This is right on the heels of a previous compromise (which attempted to
make Windows users download a malicious "browser update" via a
full-screen popup). I would strongly suggest taking the xubuntu.org
website offline until steps can be taken to prevent another compromise
in the near future.

Paul Sutton
https://zleap.net/

Attachment: Part 2.txt
Description: Text document

-- The Mailing List for the Devon & Cornwall LUG FAQ: https://www.dcglug.org.uk/faq/