The official Xubuntu website has been compromised, redirecting torrent downloads to a malicious zip file containing Windows malware. The attack was discovered through user reports on Reddit, prompting the team to take down the affected page. Xubuntu contributors are collaborating with Canonical to resolve the issue.
Xubuntu, a community-maintained variant of Ubuntu featuring the Xfce desktop environment, saw its official site at xubuntu.org hacked to deliver Windows-specific malware. Reports emerged on Reddit on Sunday, October 20, 2025, when users noticed that the download page no longer linked to .torrent files but instead offered Xubuntu-Safe-Download.zip. This file included a suspicious executable named TestCompany.SafeDownloader.exe and a text file called tos.txt.
One Reddit user highlighted red flags: “The TOS starts with Copyright (c) 2026 Xubuntu.org which is sus, because it is 2025. I opened the .exe with file-roller and couldn’t find any .torrent inside.” Analysis by commenters revealed the executable as a clipboard hijacker for Windows, which installs in an AppData subfolder and achieves persistence through a registry startup run key. Its main function appears to be swapping copied cryptocurrency links with those controlled by attackers.
This incident follows a prior compromise in September 2025, when the Xubuntu blog briefly displayed slot machine advertisements. The timing aligns with Windows 10 reaching end-of-support on October 14, 2025, potentially targeting users migrating to Linux alternatives like Xubuntu on older hardware unable to run Windows 11.
Xubuntu contributor Sean Davis confirmed the breach on Mastodon: “It is. We’re working with Canonical IS to resolve. Since the servers aren’t owned by our team, there’s little we can do. We’ve since taken down the download page and will be expediting our static site development to replace our aging WordPress instance.” Currently, the site's main page is intermittently accessible, while most other pages return errors. Only the torrent download link was altered; clean Xubuntu images remain available from the official Ubuntu CD/ISO server. Users are advised to verify downloaded files' checksums against those provided by Canonical to ensure integrity.