Isn't possible to check in the block chain to check if the attacker is actually receiving money? Just curious how much money ine makes with such attacks.
Instead of the .torrent files, the compromised website served a .zip file, which contained a .exe. When opened, it shows a GUI to select a Xubuntu version and a button to generate the link. When that button was clicked, the malware showed a download link to the user and, in the background, deployed a second stage to %APPDATA%\osn10963\elzvcf.exe and executed it.
The second stage monitors the clipboard for cryptocurrency addresses which it will replace with attacker-controlled ones. The second stage is also added to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ to ensure it is run whenever the user logs in.
Both stages have some limited anti-debugging and anti-VM functionality.
That's not done in the browser, malware is hidden in the Ubuntu download (but that's a rather amateurish work, image was not compromised, malware was distributed as .exe file next to it).
As soon as I saw the headline, I assumed something of this sort. Maybe it's naive, but I miss the days when you could just trust (however unfounded) open source software. I never had to hesitate before downloading a distro or a package. Now I only install something if I absolutely need it.
The whole supply chain, in fact. The project's site isn't necessarily the real one. the GitHub repo it links to isn't necessarily the real one, the binaries it offers to download aren't necessarily the real one, GitHub isn't even necessarily the real one! There's currently a phishing copy of GitHub up at hxxps://git.hubp.de/ that somebody is going to fall for before it's taken down. If you want to be help get it blocked, load that site up and flag it as unsafe in Chrome! (It's hilarious that the site has a Cloudflare challenge to get in, btw.)
It's a big bad dark scary Internet out there. Be careful.
You could argue that if not crypto, it would have been something else eventually, and that the heightened vigilance it has necessitated has made it more difficult for other motivated attackers (like state actors) to backdoor or compromise OSS. But as someone who doesn't use crypto, I completely get the "f*ck crypto" sentiment.
I don't know how familiar you are with the sheer scope of malware, black markets, data theft, various extortion techniques, but gaining the ability to drop an arbitrary .exe on Xubuntu.org and actually direct enough traffic to it that people notice it is worth a LOT more than $0.
The value of your labor is being systemically destroyed through deliberate currency manipulation by the US Federal Reserve, in conjunction with the US Government and US Treasury.
You are more than twice as productive as your equivalent 1971 counterpart, but relative to inflation, he was being paid about the same as you. You make your employer twice as much money as he did but you're not rewarded twice as much.
Five, ten, twenty years from now, when the trend that has been visible in the data since the 1970s is complete, and your labor has no value at all, are you going to be okay?
The people who spent large majorities of their income accumulating scarce stores of value (gold, bitcoin, housing, profitable businesses, land, etc) are going to be fine.
And beanie babies, right? Speculative bubbles like Bitcoin grow until there are no more greater fools to pay off the people at the top of the pyramid. Then as people realize they can't fool someone else to buy their beanie baby for more than what they paid for it, the price quickly drops to 0. Bitcoin has the added benefit that North Korea can take it from you without getting access to your closet.
> Thanks everyone. We're beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It's being worked on, but for now the Downloads page is disabled.
Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too. One does not accidentally prepare a zip file with a malicious exe and xubuntu-specific language, upload it to a server, and point a torrent link at it.
> Calling this a "slip-up" is an outrageous downplay. If anything this makes me suspicious of the moderator who posted the comment too.
You're making an assumption that this moderator is anything more than a Xubuntu enthusiast who wants to downplay outrage on Reddit. Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
I am not making any assumptions, you are failing to do research.
Start by googling the username of the account. They are the Xubuntu Marketing and Website lead. This is the domain they are responsible for and, given their long history, they should know better.
Okay, they're not getting paid. That's worse! This gives them an incentive to be the one to inject malware to steal bitcoins because they haven't been compensated for all their hard work.
So, of course, you stay far, far away from any open source software and their maintainders, since many/most of them don't get paid and are obviously nothing but one giant perverse incentive. Never use them right? Because we wouldn't want to think you're just a hypocrite dog-piling on someones bad day.
This sort of thing must risk harming Canonical's reputation, so you'd think they'd want to use whatever leverage they have to enforce better practices.
It is an official flavor[1], that is, maintained as a community effort, but endorsed by Ubuntu. The related packages are hosted in Ubuntu's universe repository[2]. There is indeed a risk of reputation damage.
>Keep in mind Xubuntu is mostly a community effort, not a large corporation with seniors who know how to handle this "best".
which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare. Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist. The people who go "I don't trust Canonical/Google" and then go download some binary blob browser fork/OS uploaded by an anonymous guy from the internet is way too large.
> Running some barely maintained operating system that is an nth-degree spin-off is like buying a pacemaker from craigslist.
If my options are between a barely maintained linux operating system which might compromise my data and a barely maintained windows operating system that is designed to compromise my data I'll take my chances with linux. At this point no one can be assured of their safety and all anyone can do is choose the lesser evil and hope for the best.
It's a stretch to call Windows a "barely maintained operating systems". Windows probably has more paid contributors to the Start menu than Ubuntu has total employees. The Windows software is generally rock solid, if frequently spammy (which an advanced Windows user can mostly fix in 30 minutes, especially in Europe).
Not a great day to try to argue how well maintained and "rock solid" windows is considering the issues it's having (see https://www.techpowerup.com/342032/windows-11-25h2-october-u...) not to mention all the other updates that've caused data loss or broken things and that's just windows 11! Just paying a bunch of people to push out updates isn't enough for a well maintained OS.
And yet that "binary blob browser fork/OS uploaded by an anonymous guy from the internet" is still more respectful to my privacy, than the average large proprietary OS. Guess which one I will be using?
> which is why the whole distro zoo and "stick it to the man" theatre has always been a nightmare.
The real obnoxiousness is that Ubuntu doesn't keep these desktop and otherwise specialized variants partially in-house like they once did. It isn't like they don't have the money or the staff. It's just not part of their world takeover plan anymore; no deviation allowed.
Just get away from Ubuntu, install Debian, and choose XFCE when installing. Please.
> It's just not part of their world takeover plan anymore
That's because they don't have a world takeover plan anymore. That plan failed, so they came up with other ones (mobile! Subscriptions!) and those failed too - so now they're just trying to survive.
I honestly prefer for Ubuntu to be just another Linux player doing what most Linux players do (i.e. looking after n.1 and focusing on internal consistency), rather than their original borg-like form that tried to co-opt the entire ecosystem. As much as I enjoy a reliable Debian-like infrastructure everywhere, there is value in the fundamental diversity of distros focused on different ways to "do Linux".
On the other hand, there are far few developers working on XFCE compared to desktop environments like KDE or gnome. The more obscure places might be better places to hide malware, nobody would notice, unlike in XUbuntu.
Indeed that is a suspicious or at least untrustworthy way to deflect the seriousness of a malware infection that potentially affects all users of an OS distribution.
Nobody has yet identified any malicious code in the repository.
How do you prove that the person hacking the website is not an associate of (or the same as) the person running the website?
If this were proprietary software then the software would be expected to die. Since this is open source, there is the option for the original project to die and for a fork to rise form the ashes.
From what I understood, it's the torrent link that downloads a compromised zip file rather then the authentic image:
"Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn't find any .torrent inside."
This url is on the main Xubuntu website, under "Xubuntu 24.04": click "Release page," then select United States. From there, you download the following files: SHA256SUMS, SHA256SUMS.gpg, xubuntu-24.04.3-desktop-amd64.iso
The output of the other checksum commands is shown here:
[user@host]$ gpg --keyid-format long --verify SHA256SUMS.gpg SHA256SUMS
gpg: Signature made Thu 07 Aug 2025 06:05:22 AM CDT
gpg: using RSA key 843938DF228D22F7B3742BC0D94AA3F0EFE21092
gpg: Can't check signature: No public key
[user@host]$ sha256sum --check SHA256SUMS
xubuntu-24.04.3-desktop-amd64.iso: OK
(output omitted for results of Xubuntu minimal version, which was not downloaded)
The checksum is a cryptographic hash generated from the ISO file's contents. While the checksum for a specific, unchanged ISO file is fixed, the checksum that is published on a website could be deliberately altered by an attacker to hide a modified, malicious ISO.
Generally speaking, a signature is cryptographically signed, when a checksum value is encrypted with the owners private key. The according public key should ideally be distributed in a chain-of-trust, so it can be obtained through a trusted channel.
Since the distro's site was compromised you also have to check that any keys it distributes haven't changed. And that the compromise wasn't done by a legitimate maintainer.
We are in a perpetual loop of inefficient check methods, a bunch of steps, rediscovering what a supply chain attack is, a bunch of steps and just loop back over again.
If an attacker can upload a compromised ISO I assume they can also upload a compromised checksum? In the age of https downloads — where the payload cannot be modified in transit — it never made sense to me why ISO checksums are a thing. For checksums to actually do anything there needs to be a chain of trust back to a trusted entity.
Lots of small, volunteer-run, low/zero-budget open-source projects cannot afford to pay for the server/CDN bandwidth they would need to host all their binary artifacts (ISOs, packages, etc.). They end up relying on mirrors provided for free by third parties instead. By publishing the checksums, they allow you to verify that the ISO image you downloaded from some mirror is the same one that they originally published.
TLS uses message authentication codes which should detect tampering or bit errors. In theory, a cosmic ray could hit the RAM of the device on the receiving end and bit flip after the ISO has been decrypted but still in RAM. Checksumming does not rule bit flips out though as you could checksum the ISO and the bitflip happens between then and when the ISO is actually used to install the system.
Maybe in theory you could checksum the post installed filesystem, but Im not sure if any distros actually do that or not and it would require deterministic install layouts.
It can fail mid-way of course, but it really shouldn't corrupt in any other way. HTTPS is authenticated after all and malicious manipulation is harder to defend against than accidental corruption. But this is reality and you can have bugs and errors outside the transport of course. Your file system could corrupt data, your drive could be bad etc.
For security you want signatures with a known, trusted key.
What scared me in that thread was the mention of the fake lubuntu site that is still up since someone took over the old domain last year(?). I downloaded and installed lubuntu just some week ago. Luckily I am pretty sure I downloaded it from the real site. The fake one only has downloads up to 19.04 or something.
Have not installed Lubuntu in a few years, so never noticed any of the news of the domain change and take-over. Did not really find anything more about it when searching today?
I have not used unlock in years, since NoScript as a side-effect of not running scripts tends to block almost everything anyway (in particular ads), but maybe I should install it again after all for things like this.
that website, although unofficial, looks to be one of the many sites online that stuffs a bunch of ads on a wordpress template and links straight to the official download links after a long-winded AI article about the software
also see Bloxstrap, a popular Roblox bootstrapper - its official URL is https://bloxstraplabs.com, but many fakes rank high in SEO (bloxstrap[.]net, blxstrap[.]com, bloxstrape[.]com, bloxstrapper[.]com, bloxstraps[.]net, bloxstrapp[.]com, thebloxstrap[.]net)
currently it isn't hosting malware, but this could obviously change
With these reports, I always wonder - do people really keep their software wallets on a machine they use every day? Personally I keep it on a laptop that is used just for that and it never occurred to me any other options is viable.
If you do your cryptocurrency stuff on a laptop/desktop you're probably already in the minority, most of the world only has a smartphone and will use that. If you have two computers you're in a tiny minority. If you can dedicate one computer to just doing cryptocurrency stuff you're now in a fraction of a fraction of a percent.
Never underestimated the impact of convenience. At the same time, I'm so broke that any attackers could just look at my mostly empty wallet and weep (or do automated attacks and extract what little there is in the case of compromise).
This should lead to better checksum verification mechanism, because if you compromise the site, you can put whatever compromised checksum as well. I think having a centralized checksum verification system for all major (or all) distributions would be a good start.
Thanks for this link. Opening reddit links on mobile is very frustrating for me because it opens the app and messes with the browser back button for me. Not sure if others have that problem too.
That's because you're not supposed to open reddit links anymore, you can just share your content directly with AI companies and ad brokers and cut out the middleman.
On iOS Safari, long-press the link and select Open (or Open in Background). That will open the link in the browser instead of in the app, and Safari will remember that preference for the app. Select Open in Reddit to revert.
On Android "Redreader" is the only third-party Reddit app that somehow survived the third-party-app-purge. Still free and open source, and much more pleasant than the official one.
Thanks for this, I was resorting to creating a PWA on old reddit (which has horrible ergonomics for mobile) per subreddit (you can't rename them so I remember which is which by position) thinking all the reddit clients that don't require login are gone.
I'm a grovelling Linux fiend and usually support related posts. I tried to visit the url and saw it was blocked. Didn't want the post to die so archived it asap.
Note too, that NextDNS blocks archive.is et al by default unless you manually add redirects.
I’ve noticed that even on VPNs, US exit points sometimes block archive.is. Not sure if that is DNS related or what. Non-US VPN exit points don’t seem to be blocked at those times that the site navigation fails on US ones.
I believe NextDNS is headquartered in the US, which may be related to the site nav issues we’re both experiencing.
Curiously, uBlock Origin and my blocklists seem to block content on archive.is from loading from mail.ru, which may be related to the blocks, but I have never heard anyone on HN or elsewhere mention this, so I am, so that it can be known and explained if any explanation exists for why mail.ru scripts on archive.is are present. I don’t seem to see those scripts on the Tor version of archive.today, which archive.is is a mirror of today; apparently the original domain is the .is one, in any case.
Consider my curiousity piqued!
More info about the archive.is|.today mirrors including the Tor (.onion) version of the site are on the Wikipedia entry for the site:
I mean that the page doesn’t even begin to load. I get early and often Google reCAPTCHAs on archive.is and its mirrors under normal operation over HTTPS/Tor, but I was referring to the site not loading in at all, and getting some kind of PTR/SSL error iirc when it happens, which is most/all of the time when using US VPN exit points over HTTP(S). I don’t experience these errors at all over Tor, because their Tor site doesn’t use certificates. I run HTTPS-only mode in the clearnet, so perhaps others don’t experience this issue on their machine(s), but I don’t want any kind of MITM and/or downgrade attacks to slip through the cracks, just in case.
In reality, if Microsoft Defender (Security or whatever the name is) can detect it (which does in this case), it means it is flagged on most target users' machine.
Of course, there are people who disable built-in security scanning and don't use another antivirus software, and that's on them.
But nobody wants to talk about true security. For example, why does a Python module that renders progress bars (for example) need my full trust about what it does to the rest of my system? Etc.
Jia Tan with the XZ backdoor was caught because some performance obsessed person noticed a tiny delay... I'm sure they learned their lesson and are ensuring their next backdoor doesn't impact performance.
That is the insidious question - how many parallel efforts were/are in play when xz was going down? Surely that was not the only long term plan to compromise an "unrelated" component of system security. The Jia Tan organization might have already inserted back doors into dozens of different projects by now.
Sure, but realistically, how many of us right here have state level actors in our threat models? I sure don't, because it'd be impossible to live a normal life then.
But state level actors could target you, so you should immediately abandon any hope of privacy, disable your ad blockers, stop using Signal, install Windows 11, cease any complaints about the government, and eat the bugs.
Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us. Because 1) it's unlikely, and 2) if it were true there's no change in defensive posture that would help. It's the same for most individuals when considering being targeted by state actors. Unlikely, and not defensible, so no point hand wringing.
"Nobody spends energy worrying that the universe is an evil compiler that warps reality specifically to target us"
I have not heard that specific scenario yet, but indeed quite similar ones from very depressed/mentally ill people. Basically that the whole universe was created to torture them specifically. (Probably there is even a medical term for that)
But yes, a sane person should rather be concerned to not fall scam to one of the various criminal groups. That is a real cyber threat for most people and companies.
So minding basic security helps, even if the NSA will likely get past that in no time.
Also, no state-actor would ever blow an immensely costly and rare backdoor like that on us peasants here. Even, if you would threaten to kill all the puppies. That's the sort of thing they reserve for state-level shenanigans, 100% targeting servers, infrastructure and industry, not individuals.
Though, I also doubt, they would just shelve these epic exploits, since a universal Linux backdoor likely puts themself at risk too, unless you can pull off a grand conspiracy, or deliver patched packages to your own people without questions asked. Maybe a completely locked down country like North Korea could do it. I doubt many other countries got an incentive, unless in preparation of a specific attack.
Official, popular, longstanding (20 years!) Linux distro is clearly distributing "a virus" via an official repo, with nothing about the danger on its website?
Linux mantra: Nothing wrong here, and if there is, someone will fix it eventually, probably, maybe..
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [2].
On second thought, Qubes OS does not prevent such types of malicious downloads; it can also happen to Qubes images. Verify your downloads with checksums and cryptographic signatures [1].
We should really compare it to Windows here, since that's the target. But if we do compare it to a classic Linux dist like xubuntu as baseline:
Using Qubes would limit the blast radius for a scenario like this. In QubesOS, you would use disposable VMs (with no access to your crypto wallets or other user files) to download and flash an ISO. So even if this malware was targeting Linux, it wouldn't get zit and disappear when you finish flashing and shut down that VM (as long as there isn't an unpatched exploit breaking the VM isolation involved).
Of course, if the ISO is bad then this won't save you from compromise once you boot it. But that's not what happened here.
Yes indeed. Qubes has a good article on verifying distribution images not only with checksums but also with cryptographic signatures that verify the checksum files [1].
The idea (outlined in the QubesOS documentation) is to clone the git repo of their website, verify the PGP commit signatures, then render the website yourself. Then you can be reasonably sure the website is legitimate, modulo a DoS attack stopping you from receiving updates to the website code, I suppose.
Getting the correct PGP public key appears to be an exercise left to the reader, but if you are already running e.g. Fedora, you can view the packaged QubesOS distro keys distributed by your current OS, cross-reference that with a second source such as a PGP keyserver, and unless you're being Mossaded upon you're probably good if they match.
reply