Wii U emulator Cemu 2.6 for Linux was compromised by a Russian threat actor for a week
Between May 6 and May 12, a malware was inserted into the Cemu 2.6 AppImage and Ubuntu zip assets on GitHub by a pro-Russian threat actor. These compromised files, Cemu-2.6-x86_64.AppImage and cemu-2.6-ubuntu-22.04-x64.zip, affected only users who downloaded them from GitHub or through third-party launchers during this period.
Following these events, the official releases have now been restored to their original, uncompromised versions. Users on Windows, macOS, or running the Flatpak package are not impacted by this incident.
For those who obtained or ran the affected Linux binaries between May 6 and May 12, action is required. The risk of immediate harm is lower if the program was only run once, but users should still treat their systems as compromised. Notably, if a machine's locale is Russian, the malware remains inactive.
As the full functionality of the malware remains undetermined, a clean operating system install is recommended. At a minimum, delete the compromised binaries and reset all passwords, GitHub tokens, SSH keys, and any other credentials, as the malware includes a sophisticated credential-stealing component aimed at programming and cloud accounts. Blocking traffic to IP address 83.142.209.194 may also mitigate some threat activity because this is used as a hardcoded remote endpoint. On systems set to Israeli locale and timezone, there is a 1 in 6 chance the malware will play a loud siren and attempt to erase all files with the command rm -rf /.
- Game Emulator
- Free
- Open Source
External links
- SECURITY PSA - For Cemu emulator 2.6Cemu • Official source
- Backdoored Cemu release linked to TanStack and Mistral supply chain campaignDatadog
- 20,000 Linux users grabbed a malicious Cemu build that steals passwords for coding and cloud credentialsXDA
- Popular Wii U emulator CEMU has been offering compromised downloads for daysNeowin
- Malware found in Linux builds of Cemu Wii U emulatorOMG! Ubuntu
- Popular emulator Cemu was recently compromised with malware in Linux downloadsGamingOnLinux
Comments
It's so cheap. Just because someone using Russian words and locale and using Ukrainian VPN it doesn't mean they are Russians.
Ukraine is to blame? Lol. Ukraine is of the most targeted by hackers country in the world, according to Microsoft in 2024 Ukraine was Number 1 most targeted country in the world. While Russia is known to have several state-sponsored hacker groups and attack their geopolitical opponents regularly.
But somehow you made Ukraine guilty. Are your 15 rubles even worth it nowadays to post this nonsense?
The malware is set to ignore russian locale. Hmm yeah, I wonder who could the attacker be... 🤔
Certain countries were already caught red handed doing this kind of bookmarks.
I don't have a strong background in GNU Linux, so I'm curious if using the infected AppImage via Firejail would have been any protection? I know good users are supposed to stick to our distro's repos, but so many useful tools are hosted on Github.