Arctic Wolf has recently observed the distribution of a trojanized RVTools installer via a malicious typosquatted domain. The domain matches the legitimate domain, however, the Top Level Domain (TLD) is changed from .com to .org. RVTools is a widely used VMware utility for inventory and configuration reporting, developed by Robware. Once the malicious installer was downloaded, the installer attempts to make outbound connections to known command and control infrastructure. However, the attempts were intercepted and sinkholed, preventing additional analysis on the final payload.
Notably, according to open source reporting, the official RVTools website was likely compromised to deliver a malicious installer containing a version.dll file that deploys the Bumblebee malware loader. The Bumblebee malware enables threat actors to gain persistent access, execute additional malicious payloads, steal data, and facilitate ransomware or further attacks within a compromised system.
While the exact timeline of the compromise is unknown, reports of the malicious installer began emerging in mid-May 2025. At the time of writing, both legitimate RVTools sites (Robware.net and RVTools.com) are down, with no indication of when they will be restored.
Recommendations
Verify the Legitimacy of the Downloaded RVTools Installer
Due to the unknown timeline of the compromise, Arctic Wolf strongly recommends verifying the legitimacy of any RVTools installer downloaded recently. For reference, you can verify the official installer’s hash here.
Avoid Untrusted Sources
Robware has stated that Robware.net and RVTools.com are the only authorised and supported websites for RVTools software. Do not search for or download RVTools from any other websites or sources, including those with similar domain names.
References
Resources
