Proprietary 2025-05-12 · 9 days ·Backdoor, Remote Access, Ransomware Staging

RVTools installers carried Bumblebee

RVTools reporting split between official-site compromise and lookalike-domain delivery. The trojanized installer sideloaded version.dll to launch Bumblebee.

Story

RVTools is an administrator tool for VMware environments, so its installer lands near privileged infrastructure. In May 2025, researchers reported a trojanized RVTools installer that dropped a malicious version.dll and loaded Bumblebee.

The official-site question is unresolved in public reporting. ZeroDay Labs researcher Aidan Leon said the malicious file was downloaded from RVTools or Robware, with a mismatch between the published hash and the actual download. Dell later said its investigation found no evidence that Robware.net or RVTools.com served the malware and instead pointed to fake domains plus DDoS against the legitimate sites.

Other reporting supports both sides of the risk. Truesec and The Hacker News initially described an official-site compromise, while Arctic Wolf observed trojanized installers from typosquatted domains with changed top-level domains, likely promoted through SEO poisoning or malvertising.

This record is kept as an edge case. It tracks the real RVTools-branded trojanized installer and the strong claims of official-site exposure, but the notes preserve Dell's denial and the confirmed lookalike-domain delivery channel.

Affected Artifacts

RVTools

rvtools website download · robware.net · Binary Archive

Observed: 2025-05-12 to 2025-05-21
Compromised Versions: Unknown
Fixed: Not listed
Evidence: distribution: robware.net/rvtools, distribution: rvtools.com

The official-distribution status is contested. Aidan Leon reported direct official-site download and hash mismatch; Dell said it found no evidence of official-site or official-download compromise.
Arctic Wolf reported trojanized RVTools installers from typosquatted domains, a confirmed malicious delivery path that overlaps the same RVTools-branded payload.
Public reports did not provide a stable malicious RVTools version in text; some secondary reporting mentioned 4.7.1, but this record leaves the version unset until confirmed from primary evidence.

Incident Context

Motive: Initial Access
Cause: Contested Distribution Compromise
Transitive: No

Indicators

familyBumblebee
fileversion.dll
fileRVTools installer
observablePublic reports conflict on whether official sites served the malicious installer.
observableDell said fake websites mimicking Robware.net and RVTools.com distributed malicious RVTools installers.
observableA researcher reported a mismatch between the hash listed on the RVTools website and the actual downloaded installer.

External References

RVTools Official Site Hacked to Deliver Bumblebee Malware via Trojanized Installerthehackernews.com
Trojanized RVTools push Bumblebee malware in SEO poisoning campaignbleepingcomputer.com
RVTools Supply Chain Attack Delivers Bumblebee Malwarearcticwolf.com
Official Download site for RVTools Hackedtruesec.com
RVTools Supply Chain Attack Delivered Bumblebee Malware via Trojanized Installerdailysecurityreview.com
Thunderstruck! Malicious ads for RVTools lead to ThunderShell payloadfieldeffect.com
Malicious RVTools Installer Found on Official Siteit.ucsf.edu

Source record: proprietary/rvtools/meta.yaml