User Flags Possible Malware Incident on Xubuntu.org

posted by Rianne Schestowitz on Oct 20, 2025,
updated Oct 22, 2025

Quoting: User Flags Possible Malware Incident on Xubuntu.org —

This isn’t the kind of news I enjoy sharing, but unfortunately, it’s part of the story we have to tell. Here’s what’s going on. A Reddit user has raised a serious security concern, claiming that the official Xubuntu website may have been compromised and was briefly serving malware through its download page.

According to the post, clicking the site’s “Download” button reportedly led to a file named “Xubuntu-Safe-Download.zip”, which contained a Windows executable identified by VirusTotal as a Trojan. The malicious file appeared to masquerade as an installer and included a fake terms-of-service document to look legitimate.

Read on

Also:

• Xubuntu Website Compromised, Served Malware Downloads - OMG! Ubuntu

  Users who visited the Xubuntu website over the weekend to download the official .torrent of the Xfce-toting Ubuntu flavour instead got a xubuntu-safe-download.zip.

  When the rogue zip file was extracted it contained an .exe runtime and a ‘terms of service’ text file.

• Users beware: Xubuntu website serving malware instead of OS downloads

  Users attempting to download Xubuntu, a lightweight Linux distribution derived from Ubuntu, are reporting getting malware instead. The project’s maintainers have temporarily disabled dowloads.

  According to user reports on Reddit communities, Xubuntu’s website has likely fallen victim to hackers, who replaced torrent download links with malicious ones that serve ZIP archive with a suspicious executable.

  The executable runs fake “Xubuntu – Safe Downloader.” Dozens of security vendors already have flagged this file as a malicious trojan.

Techrights spotted and reported this ages ago.

The Register:

• Xubuntu downloads section injection threatens users with crypto infection

  The file was in a WordPress path, and the suspicious activity follows a month after a similar report that the blog section of the site had been hacked, and was serving slot-machine adverts in non-English languages.

  The issues have now been made safe, to the extent that all the sub-pages linked from the site's top bar, from "About" to "The Blog", simply yield a 503 Service Unavailable error, and the Downloads URL simply redirects back to the main page. The News section has a very dated message about Xubuntu 21.04 Testing Week – a period which was four and a half years ago.

  Downloads are still available from Canonical's own mirror server cdimage, of both the latest LTS and the current Questing release. There's no sign that ISO files themselves were affected.

See: They Should Have Listened to Techrights Over a Month Earlier (Xubuntu Site Compromised)

gHacks:

• Xubuntu's website was hacked to spread a malware, fixed now

  Xubuntu's website was the latest to fall victim to hackers. The attackers replaced the download links with a malicious one.

  For those unaware, Xubuntu is one of the official flavors of Ubuntu, i.e. a fork/derivate of the distro. The name is a portmanteau of Xfce and Ubuntu.

  Anyway, from what I can tell from user reports, the attackers replaced the download links on Xubuntu.org with a malicious one. So instead of downloading a .torrent file, it downloaded some ZIP archive that contained the malicious file.

Neowin:

• Xubuntu website compromised to deliver crypto malware to backdoored Windows 10 refugees

  Users looking to switch to GNU/Linux may have been affected by malware being distributed from the Xubuntu site after hackers compromised it to deliver crypto stealing malware.

Linux Magaxzine:

• Xubuntu Site Possibly Hacked » Linux Magazine

  From the office of "Please say this is an early April Fools joke" comes a user (onechroma) who has reported that the Xubuntu download site was serving up a malicious .zip file. After clicking the Download button on the site, the user claimed the file Xubuntu-Safe-Download.zip was offered instead of the expected ISO file. The file was flagged as a Trojan by VirusTotal.

  In the report on Reddit, onechroma states that the malicious file was a crypto clipper that was designed to hijack crypto transactions by replacing the innocent victim's wallet address with that of the attacker. Fortunately, after 12 hours, the Xubuntu team deleted the file and has temporarily disabled redirects to avoid further issues.

GoL:

• Xubuntu website hijacked to serve malware | GamingOnLinux

  Ouch, the Xubuntu website was recently hijacked and ended up serving Windows malware, and this isn't the first time the Xubuntu site was hit.