Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
That's not done in the browser, malware is hidden in the Ubuntu download (but that's a rather amateurish work, image was not compromised, malware was distributed as .exe file next to it).
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
The whole supply chain, in fact. The project's site isn't necessarily the real one. the GitHub repo it links to isn't necessarily the real one, the binaries it offers to download aren't necessarily the real one, GitHub isn't even necessarily the real one! There's currently a phishing copy of GitHub up at hxxps://git.hubp.de/ that somebody is going to fall for before it's taken down. If you want to be help get it blocked, load that site up and flag it as unsafe in Chrome! (It's hilarious that the site has a Cloudflare challenge to get in, btw.)
It's a big bad dark scary Internet out there. Be careful.
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
that website, although unofficial, looks to be one of the many sites online that stuffs a bunch of ads on a wordpress template and links straight to the official download links after a long-winded AI article about the software
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
If you do your cryptocurrency stuff on a laptop/desktop you're probably already in the minority, most of the world only has a smartphone and will use that. If you have two computers you're in a tiny minority. If you can dedicate one computer to just doing cryptocurrency stuff you're now in a fraction of a fraction of a percent.
Never underestimated the impact of convenience. At the same time, I'm so broke that any attackers could just look at my mostly empty wallet and weep (or do automated attacks and extract what little there is in the case of compromise).
This should lead to better checksum verification mechanism, because if you compromise the site, you can put whatever compromised checksum as well. I think having a centralized checksum verification system for all major (or all) distributions would be a good start.
Why not even a PGP signature from the team? At least the public keys can be pinned so the possible compromise can be detected. I think Arch does something like that.
Readit News
They are empty as of now.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
It's a big bad dark scary Internet out there. Be careful.
Dead Comment
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
https://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releas...
[user@host]$ ls
SHA256SUMS SHA256SUMS.gpg xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ cat SHA256SUMS
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf *xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ sha256sum xubuntu-24.04.3-desktop-amd64.iso
b61e083d8a5ab003bad6ef7ea31ec21d7bfdf19b99d75987ab3fa3bbe85ec1bf xubuntu-24.04.3-desktop-amd64.iso
[user@host]$ echo $?
0
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
... This is a thing?
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
Is there no way a download over HTTPS can be corrupted non-maliciously, or can fail to complete?
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
uBO has prevented the following page from loading:
"FAKElubuntu.net I wont give backlinks too"
The page was blocked because of a matching filter in uBlock filters – Badware risks.
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
I recall purchasing a textbook in September of year X and being surprised that it was "from the future" with a "Copyright X+1".
Also, don’t install the app? Use Sink It instead: https://gosinkit.com/
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
Whatta world
Would definitely recommend.