On May 13, 2025, a sophisticated supply chain attack compromised the trusted VMware administration tool RVTools, turning it into a malware delivery platform.
The attackers managed to replace the legitimate RVTools installer on the official website with a malicious version that silently deployed Bumblebee—a highly dangerous malware loader known for enabling ransomware attacks and post-exploitation activities.
Security experts first detected the breach when Microsoft Defender for Endpoint flagged suspicious behavior coming from a file named “version.dll” executing in the same directory as the RVTools installer.
While the installer appeared legitimate at first glance, it contained hidden malicious code that activated immediately after installation.
Further analysis revealed a mismatch in hash values between the compromised installer and the official version published on the RVTools website, confirming the tampering.
Malware analysts at ZERODAY LABS identified the payload as a custom variant of the Bumblebee loader, widely used by threat actors for initial access to corporate networks in preparation for ransomware campaigns.
VirusTotal scans showed that 33 out of 71 antivirus engines detected the file as malicious, highlighting the serious threat posed by this attack and the potential for widespread distribution.
This incident underscores the growing complexity of software supply chain compromises, especially targeting tools frequently used in enterprise environments.
The trojanized installer was available on the RVTools website for about an hour before the breach was discovered, the infected files were removed, and the legitimate installer restored.
Interestingly, the malware authors employed unusual obfuscation tactics within the file metadata to confuse security researchers.
For example, the original filename was listed as “Hydrarthrus,” and the company description was given as “Enlargers pharmakos submatrix,” clearly designed to mislead and delay investigation efforts.
Infection Process
The infection began when users downloaded the seemingly official RVTools installer from the compromised website. Upon running the installer, it deployed the expected RVTools files but also silently dropped a malicious “version.dll” file into the installation directory.
This method exploits a Windows feature called DLL search order hijacking. Since Windows tries to load DLLs from the application’s folder before system directories, the malware’s version.dll was loaded instead of the legitimate system file, allowing the attacker’s code to run with the same privileges as the application.
Once executed, the malware established persistence on the system and attempted to connect to command-and-control (C2) servers to receive further instructions. This communication channel could enable attackers to download additional malicious payloads, increasing the risk of further compromise.
Recommendations
Organizations and users who downloaded RVTools during the affected period should immediately verify the integrity of their installer files by checking hash values against official sources.
It is also crucial to scan for unauthorized “version.dll” files in user directories and remove any suspicious files.
This incident serves as a powerful reminder of the evolving threat landscape, where even trusted enterprise tools can be weaponized through supply chain attacks.
Vigilance, rapid incident response, and strict validation of software sources remain key to defending against these sophisticated threats.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
![Nifty[.]com Infrastructure Exploited in Phishing Attack](https://firsthackersnews.com/wp-content/uploads/2023/10/Phishing-Attacks_-Recognize-and-Avoid-Email-Phishing-1-500x383.jpg)
Leave A Comment