The official website for Xubuntu, a community-maintained “flavour” of Ubuntu that ships with the Xfce desktop environment, has been compromised to serve Windows malware instead of the Linux distro.
The malicious download
Reports about a potential compromise began popping up on Reddit on Sunday, with users saying that instead of pointing to .torrent files, the download page served Xubuntu-Safe-Download.zip, containing a suspicious executable (TestCompany.SafeDownloader.exe) and a text file (tos.txt).
“The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn’t find any .torrent inside,” one of the users who raised the alarm noted.
According to commenters who have analyzed the EXE file, it’s actually a clipboard hijacker (for Windows) that gets installed in an AppData subfolder and achieves persistance by setting a registry startup run key.
Its primary goal is likely to silently exchange copied links to cryptocurrency accounts with some that point to accounts owned by the attackers.
Website compromise has been contained
Commenters have suggest that the attackers might be trying to capitalize on Windows 10 reaching end of support. Many users are not ready to part with their old machines that can’t run Windows 11 and are looking for user-friendly Linux distributions as an alternative to Microsoft’s OS.
Xubuntu site’s main page is currently intermittently reachable, though most other pages are not.
Xubuntu contributer Sean Davis confirmed that they are aware of the problem.
“We’re working with Canonical IS to resolve. Since the servers aren’t owned by our team, there’s little we can do. We’ve since taken down the download page and will be expediting our static site development to replace our aging WordPress instance,” he said.
It’s not yet known how long the site had been serving malware, but the good news is that only the torrent download link had been modified.
Clean Xubuntu downloads are still available from the official Ubuntu CD/ISO image server. Users should verify the file’s checksum after download and compare them to the one provided by Canonical to ensure that the image hasn’t been corrupted or tampered with.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
