Cemu Emulator Compromised with Malware in Linux Downloads

Severity: High (Score: 71.0)

Sources: rentry.org, Gamingonlinux

Summary

The Cemu emulator version 2.6 was compromised between May 6 and May 12, 2026, by a pro-Russian threat actor. The attack affected Linux users who downloaded the AppImage and Ubuntu zip files during this period. Windows and macOS users were not impacted, nor were those using Flatpak. The malware primarily aims to steal SSH keys, GitHub tokens, and passwords, potentially allowing further infections. A specific payload targets users in Israel, attempting to play a siren and wipe the filesystem. The compromised files have since been removed from GitHub, and users are advised to delete affected binaries and reset passwords. The developers are still investigating the full extent of the malware's capabilities. Key Points: • Cemu 2.6 was compromised by a pro-Russian threat actor affecting Linux builds. • Malware targets SSH keys and GitHub tokens, facilitating further infections. • Users in Israel face an additional risk of filesystem wipe via a specific malware payload.

Key Entities

• Malware (attack_type)
• Supply Chain Attack (attack_type)
• Cemu (company)
• Ubuntu (company)
• Israel (country)
• CWE-200 - Exposure of Sensitive Information (cwe)
• T1003 - OS Credential Dumping (mitre_attack)
• T1485 - Data Destruction (mitre_attack)
• T1543.003 - Windows Service (mitre_attack)
• Linux (platform)
• MacOS (platform)
• Windows (platform)
• 0c20c4aeb800bb13d9bab9474ef45a6f8fcde6402cad9b32ac2a1bbd03186313 (sha256)
• 5e4592d0dae394fa0614cb8c875eff3f81b23170b349511de318d9caf7215e1b (sha256)
• Kubectl (tool)
• Copy Fail (vulnerability)
• Dirty Frag (vulnerability)