The official RVTools website was compromised on May 12, 2025, leading to the distribution of a malicious installer that delivered Bumblebee malware.

This compromised installer, which was larger than the legitimate version, enabled the sideloading of a harmful DLL that triggers the Bumblebee payload.

Bumblebee malware is notorious for facilitating cybercriminal access, often used to initiate ransomware attacks and download additional payloads like Cobalt Strike beacons.

Security measures were activated when Microsoft Defender flagged the suspicious activity related to the installer on May 13, 2025, shortly after an installation attempt.

Cybersecurity researcher Aidan Leon's team detected the harmful file 'version.dll' during this installation attempt, raising immediate security concerns.

In response to the incident, Robware.net, the developer of RVTools, urged users to download the software only from authorized sites to avoid malicious sources.

Users are advised to verify the installer's hash and monitor for any execution of version.dll from user directories to ensure their systems remain secure.

Details about how long the compromised installer was available and the number of downloads before the website's takedown remain unclear.

Those who downloaded from unofficial sources might have infected their devices with Bumblebee and potentially other malware.

The incident highlights the importance of cybersecurity vigilance, especially for tools like RVTools that assist in managing VMware systems.

This incident follows previous reports of compromised Procolored printers, which were sold with malware, including XRed and SnipVex.

The malicious installer had a different file hash compared to the legitimate version, indicating it had been tampered with.