Security researchers have discovered a major supply chain attack aimed at users of RVTools, a popular utility which is used to report on the status of a VMware environment. – The “official” RVTools webserver has been hijacked in order to spread a malicious installer of the highly infamous Bumblebee piece of malware.
Researchers said that the official RVTools website was most likely compromised so that users who downloaded the installer did so with no knowledge that it contained a rigged version of the software with the malicious DLL file. This DLL is used to drop Bumblebee malware loader on the victim’s machine.
Bumblebee is a highly advanced malware that enables a long-term access to the attacked machine for threat actors. It can deliver other kinds of payloads, steal data, and in a worst-case scenario, ransomware attacks or other evil action inside network.
Security analysts at Arctic Wolf saw the trojanized installer being served through a malicious, typo-squatted domain with a name nearly identical to that of the legitimate RVTools web address, with the exception of having a “. org” domain extension, instead of “. com”. This serves to reinforce the need to ensure the legitimacy of website domains when downloading software.
For now, the official RVTools sites, Robware. net and RVTools. com are down with no indication of when they’ll be brought back online. It is unknown exactly when the compromise took place but mentions of the malicious installer first emerged in mid-May 2025.
Recommendations for Users:
Security firms are recommending that anyone who has recently installed RVTools should do something now about the current situation, because no one knows just how long the injection has been active, and how long their respective systems may have been exposed.
Check the Installer is legit: If you downloaded the RVTools installer recently, it is very important to check you have the legit one. Arctic Wolf provided a hash to compare against that is a hash for the valid installer.
Do Not Download From Untrusted Sources: Robware has already stated that Robware. net and RVTools. com are official RVTools channels. Do not download the utility from any other website or you know ‘similar sounding’ domain name, including one with change of domain name or site logo.
Check for Any Malicious Activity: In order to ensure that your system has not been compromised, be sure to examine network connections and look for any suspicious activity. The malicious Bumblebee malware tries to make outbound connections to the command and control server.
Inspect Executable Files: Security experts advise read controls on any execute of version. dll from user folders because this is the malicious DLL for the loader Bumblebee in this campaign.
This is another painful lesson of how sophisticated the supply chain attacks have become and how careful we have to be in downloading software, even from what it appears to be a legit source. We encourage organizations to be on the alert, even if they have strong security barriers on place.
