https://www.ghacks.net/2025/10/20/xubuntus-website-was-hacked-to-spread-a-malware-fixed-now/
TLDR; the XUbuntu website was hacked to serve malicious files to windows users. Below are some relevant excerpts from the linked ghacks article.
Additionally I wanted to link this YouTube video which covers the topic well for those who don’t want this read the article.
For those unaware, Xubuntu is one of the official flavors of Ubuntu, i.e. a fork/derivate of the distro. The name is a portmanteau of Xfce and Ubuntu.
Anyway, from what I can tell from user reports, the attackers replaced the download links on Xubuntu.org with a malicious one. So instead of downloading a .torrent file, it downloaded some ZIP archive that contained the malicious file.
Here’s the VirusTotal link for the malware. The file was called “TestCompany.SafeDownloader.exe”. It is flagged by 26/72 security vendors as malicious. Users who inspected the malware say it is a Cryto Clipper. It’s not a crypto miner, it’s essentially a clipboard hijacking malware that targets cryptocurrencies.
It seems that only Xubuntu’s website was compromised, some users say that the torrents and releases/mirrors themselves do not appear to have been affected by the issue. Nevertheless, you should probably verify your downloads using the checksums provided by the developers.
A comment from Xubuntu’s team says that there was some sort of slip-up in their hosting environment, […].
Xubuntu seems to have restored an older version of its download page, because it shows Xubuntu 24.04 from April 2024, instead of Xubuntu 25.10 based on Ubuntu 25.10 Questing Quokka, and blog articles from 2021. And the download button doesn’t seem to work either. They are likely in damage control mode.