On May 13, 2025, cybercriminals briefly turned VMware’s trusted RVTools utility into a malware delivery channel by compromising its installer. The attackers used the installer to deploy Bumblebee, a dangerous malware loader often linked to ransomware preparation and post-exploitation attacks.

Microsoft Defender for Endpoint flagged the breach after detecting suspicious activity from a file named “version.dll,” found in the same directory as the RVTools installer. Though the installer appeared authentic, it was embedded with malicious code that executed immediately upon installation.

Hash comparisons revealed clear discrepancies between the infected installer and the official version. Analysts at ZERODAY LABS identified the payload as a customized variant of Bumblebee—frequently used by attackers to gain initial access before launching larger cyberattacks.

VirusTotal scans showed 33 of 71 antivirus engines flagged the file as malicious, prompting serious concerns about the malware’s potential spread. The compromised version of RVTools was available for nearly an hour before the website was taken offline and later restored with verified, clean files.

Forensics uncovered unusual obfuscation tactics in the malware’s metadata, including strange descriptors like “Hydrarthrus” and “Enlargers pharmakos submatrix,” likely designed to mislead analysts.

Infection Mechanism

Victims unknowingly downloaded the trojanized installer from RVTools’ official website. Upon execution, it installed the usual RVTools components but also dropped a rogue version.dll file in the same directory. Exploiting Windows’ DLL search order, the malware tricked the system into running the malicious DLL instead of the legitimate one.

The threat actors had infiltrated the website’s file repository, replacing the genuine installer with a significantly larger malicious version. Once executed, the malware established persistence and contacted command and control servers, potentially downloading further harmful payloads.

Organizations that downloaded RVTools during the affected period should immediately verify installer hashes and check for unauthorized version.dll files on their systems.

Stay ahead of emerging cybersecurity threats. For the latest insights and updates on cloud security, follow SOC News.

News Source: Cybersecuritynews.com