Wednesday, May 7, 2025
HomeCyber Security NewsWeaponized Free Download Manager for Linux Steals System Data & Passwords 

Weaponized Free Download Manager for Linux Steals System Data & Passwords 

Published on

SIEM as a Service

Follow Us on Google News

In recent years, Linux systems gained prominence among diverse threat actors, with more than 260,000 unique samples emerging in H1 2023.

In the case of Linux, threat actors can run multiple campaigns without being detected for years, and maintain long-term existence on the compromised systems.

Cybersecurity researchers at Kaspersky Lab recently detected that threat actors are weaponizing the Free Download manager for Linux to steal system data and passwords.

- Advertisement - Google News

While investigating the suspicious domains, cybersecurity analysts uncovered a persistent and long-lasting attack. Here below, we have mentioned the set of domains analyzed by security experts-

  • 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org
  • c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org
  • 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org
  • c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org

Weaponized Free Download Manager

These domains raise alarm for security researchers, hinting at potential malware using the domain-generation algorithms for C2 communication, and that’s why analysts primarily focused on the following domain:-

  • fdmpkg[.]org

The domain under scrutiny features the “deb.fdmpkg[.]org” subdomain that leads to the following webpage:-

Weaponized Free Download Manager
Landing webpage (Source – Securelist)

The subdomain claims to host the ‘Free Download Manager’ Debian repository, but we found a malicious package at “https://deb.fdmpkg[.]org/freedownloadmanager.deb”. 

This package deploys infected scripts and creates persistence with a cron task running /var/tmp/crond every 10 minutes.

The infected package installed a January 24, 2020 version of Free Download Manager. The postinst script, in Russian and Ukrainian, references malware improvements and activist messages, with the following dates:- 

  • 20200126 (January 26, 2020)
  • 20200127 (January 27, 2020)

After installation, the package triggers /var/tmp/crond on startup via cron, serving as a self-contained backdoor using statically linked dietlibc for Linux API access. It contacts a secondary C2 server via DNS request to <hex-encoded 20-byte string>.u.fdmpkg[.]org.

Now after parsing the DNS response, the backdoor establishes a reverse shell via SSL or TCP with the secondary C2 server, using /var/tmp/bs for SSL or self-made for TCP.

Discovering the crond backdoor’s reverse shell, experts tested it in a malware analysis sandbox, finding it delivered a Bash stealer. This stealer gathers system info like:-

  • Browsing history
  • Saved passwords
  • Crypto wallet files
  • Cloud service credentials

Here below we have mentioned the cloud services that are targeted primarily:-

  • AWS
  • Google Cloud
  • Oracle Cloud Infrastructure
  • Azure

The stealer retrieves an uploader binary from the C2 server, stores it in /var/tmp/atd, and employs it to send stolen data to the infrastructure that is under the control of attackers.

Weaponized Free Download Manager
Infection chain (Source – Securelist)

Origins

Moreover, security analysts found Linux installation tutorials for Free Download Manager on YouTube videos.

After tracing the Free Download Manager package’s infection source, researchers linked the discovered implants to Bew backdoor and Exim mail server vulnerability.

Despite the malware’s long history and noisy implants, the malicious Free Download Manager package went undetected for over three years, affecting victims worldwide.

However, besides this, it’s been confirmed by the security analysts that this campaign is inactive at the moment, but, recommended users to equip their Linux machines with robust security solutions.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...