Compromised RVTools Installer Spreading Bumblebee Malware

A widely used tool for managing VMware systems, RVTools, was recently found delivering harmful software to users. A security researcher, Aidan Leon, sounded the alarm in a blog post on ZeroDayLabs after discovering a compromised installer for RVTools on its official website.

The issue came to light on Thursday, May 15, 2025, when Leon’s security team detected a suspicious file, version.dll, attempting to run from an RVTools installer. This happened during an employee’s attempt to install the utility.

Reportedly, the infected version was first uploaded on Monday, May 12, 2025, suggesting the website was compromised between 8 AM and 11 AM that day. The official website later went offline and then reappeared with a clean version of the download. However, by Friday, May 16, 2025, the site was offline again without explanation.

Microsoft Defender for Endpoint quickly flagged the activity. Further investigation confirmed that the malicious installer originated from the official RVTools website, Robware.net. Also, Leon found that the infected RVTools installer was noticeably larger than its legitimate counterpart. It also contained a file hash that did not match the clean version listed on the official site.

The file’s analysis on VirusTotal, a service that checks for malicious content, confirmed the severity: 33 out of 71 antivirus engines identified it as a variant of the Bumblebee malware loader– a malware known for its role in gaining initial access for cybercriminals, often paving the way for ransomware or advanced attack frameworks.

The malicious file even featured unusual and deliberately confusing details in its metadata, such as “Hydrarthrus” as the original filename and strange descriptions like “elephanta ungroupable clyfaker gutturalness” for the product. These cryptic terms, as noted in a ZeroDay Labs Report, were used as a distraction from the file’s true harmful purpose.

Within an hour of the malicious file being submitted to VirusTotal, public detections of it surged. This coincided with the RVTools website temporarily going offline. When the site returned, the downloaded file had changed, now being smaller and matching the official, safe file hash. This swift change strongly suggested a brief but targeted compromise of the software’s distribution channel.

The security concerns don’t end with the official website. A warning on the legitimate RVTools site advises against downloading the software from other sources. This advice is critical, as a simple online search for “RVTools download” currently shows a lookalike website, rvtoolsorg, as the top result. This fake site, which claims to be official, also offers a malicious RVTools installer.

The incident shows the need for caution when downloading software, even from legitimate sources. Organizations installing RVTools should verify the installer’s integrity by checking file hashes and detecting unusual activity, especially the execution of “version.dll” from user directories.