Fake Xubuntu Installer Found Stealing Crypto on Official Website
A malicious file was discovered in the downloads section of Xubuntu.org, the official website of the Ubuntu distribution featuring the Xfce desktop environment. The counterfeit installer, disguised as “Xubuntu — Safe Downloader,” was designed to steal cryptocurrency, though no reports of actual theft have been confirmed so far.
The first warnings appeared on Reddit, where users noticed that the downloads page offered a suspicious ZIP archive containing an executable file and a text document outlining terms of use—curiously dated 2026.
The fake application presented itself as a “verified safe installer,” but contained several inconsistencies, including an incorrect license and multiple spelling errors.
The file was hosted within a WordPress directory, and the incident occurred roughly a month after a similar compromise in which the project’s blog was hacked to display online casino advertisements.
Following the discovery, most sections of the website became inaccessible: menu pages returned a 503 Service Unavailable error, and download links redirected to the homepage. However, official system images remain available on Canonical’s mirrors for both the LTS and current releases.
According to Reddit users, the malware operated as a crypto clipper—a program that saved elzvcf.exe to the AppData\Roaming directory, added itself to the system registry for automatic startup, and replaced cryptocurrency wallet addresses copied to the clipboard. Reports from Hacker News indicate that no financial losses have been observed.
The Xubuntu development team explained that the issue stemmed from a failure in the hosting environment. The downloads section has been taken offline, and the project is migrating the website to a static platform to prevent similar incidents in the future.
This episode highlights the fragility of community-maintained distribution infrastructure. Unlike Ubuntu Desktop, all derivative editions—such as Xubuntu, Kubuntu, and Lubuntu—are developed and maintained by volunteers. For instance, the official Lubuntu.me website was created after the team lost control of the Lubuntu.net domain, as documented in a 2018 announcement and subsequent discussions on Ask Ubuntu.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
