Someone managed to insert a compromised file into the downloads section of the website for Xubuntu, the official Ubuntu flavor with the Xfce desktop environment. The malware was designed to steal cryptocurrency, but so far, there are no reports of actual theft.
Investigations are continuing, but over the weekend, there were several Reddit reports, such as this one in the Xubuntu subreddit, that the downloads page on the main Xubuntu.org site had been compromised:
Torrent downloads over at https://xubuntu.org/download/ are serving a zip file with a suspicious exe and a tos.txt inside. The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn’t find any .torrent inside.
The Windows app called itself “Xubuntu — Safe Downloader” and claimed to be:
© 2025 Test Company — All rights reserved.Verified Safe Installer
It had the latter phrase in green, with no space following the period, and none on the end. Also, it referred to the wrong software license. Such details are suspicious to clueful techies, but are invisible to non-technical folks. One of this vulture’s cousins recently lost her Facebook account to a transparently bad spam email with similar errors.
The file was in a WordPress path, and the suspicious activity follows a month after a similar report that the blog section of the site had been hacked, and was serving slot-machine adverts in non-English languages.
The issues have now been made safe, to the extent that all the sub-pages linked from the site’s top bar, from “About” to “The Blog”, simply yield a 503 Service Unavailable error, and the Downloads URL simply redirects back to the main page. The News section has a very dated message about Xubuntu 21.04 Testing Week – a period which was four and a half years ago.
Downloads are still available from Canonical’s own mirror server cdimage, of both the latest LTS and the current Questing release. There’s no sign that ISO files themselves were affected.
The malware itself was described in another Reddit report as a “crypto clipper”:
About the malware, it seems to be a Crypto Clipper. When you launch it and click “Generate Download Link”, it saves “elzvcf.exe” to AppData Roaming, and configures a registry key to get persistence and startup run.
This program looks for cryptocurrency IDs in the user’s clipboard, and if it found any, it replaced them with what was presumably the hackers’ own. On the bright side, the avid investigators of Hacker News say that nobody lost any money.
This latest security issue is a sobering reminder that only Ubuntu Desktop, meaning the GNOME version, is an official Canonical product. The company’s sole paid developer of any of the remixes worked on Kubuntu and was reassigned to other duties in 2012. As we regularly point out, this also means that only the GNOME edition gets the full LTS five-year standard support period. The corresponding versions with other desktops typically only get three years.
All the other Ubuntu flavors are community projects run by small teams of volunteers – and that includes the project’s own websites. It could be worse: the official homepage for Lubuntu is https://lubuntu.me/, as the developers lost control of https://lubuntu.net/. As a 2018 update said:
Lubuntu.net is no longer under the control of the Lubuntu project (we can’t say more at this time except that we are in no way affiliated with FOSSASIA)
For the curious, there’s a little more history on Ask Ubuntu.
So far, the only official comment we can find is also on Reddit:
Thanks everyone. We’re beholden to our hosting environment for upgrades and it looks like there was a bit of a slip-up here. It’s being worked on, but for now the Downloads page is disabled.
We’re in the process of migrating to a static environment which should make things like this a thing of the past, but our team is quite small and busy. We’re always happy to bring on new contributors, please get in touch if you’re interested! https://xubuntu.org/contribute/
It’s unfortunate, even if it looks like nobody got their Dunning-Krugerrands stolen. We rather like Xubuntu, and have for a long time, going back a decade. ®