What JDownloader and Daemon Tools reveal about software distribution trust

This report describes two supply-chain attacks in 2026: a 24-hour compromise of JDownloader installers via a website ACL link-swap that delivered unsigned Python RATs and persisted via a malicious root certificate, and a month-long trojanization of Daemon Tools signed installers (versions 12.5.0.2421–12.5.0.2434) that deployed multi-stage backdoors and an advanced implant (QUIC RAT) to selected high-value targets across more than 100 countries. The incidents demonstrate how trusted distribution channels and valid signatures can be abused, detail observed behaviors and affected components, and recommend Zero Trust controls (deny-by-default execution, allowlisting, ringfencing, controlled deployment) to mitigate similar supply-chain risks.