A sophisticated supply chain compromise briefly turned the trusted VMware administration tool RVTools into a malware delivery vector on May 13, 2025.

The attack leveraged a compromised installer to deploy Bumblebee, a dangerous malware loader with potential for ransomware staging and post-exploitation activities.

Security experts identified the compromise when Microsoft Defender for Endpoint flagged suspicious activity from a file named “version.dll” executing from the same directory as the RVTools installer.

The modified installer appeared legitimate on the surface but contained malicious code that attempted to execute immediately after installation.

Hash verification revealed a significant mismatch between the compromised installer and the legitimate version advertised on the official website.

ZERODAY LABS analysts identified the malware as a custom variant of the Bumblebee loader, known for its use in initial access scenarios by threat actors preparing ransomware attacks.

Their investigation confirmed that 33 out of 71 antivirus engines classified the file as malicious through VirusTotal analysis, raising immediate alarms about the widespread distribution potential.

The attack demonstrates the evolving sophistication of software supply chain attacks, targeting tools commonly used in enterprise environments.

The compromised RVTools website served the malicious installer for approximately one hour before being taken offline and subsequently restored with legitimate files matching their published hashes.

Forensic analysis shows the threat actors employed distinctive obfuscation techniques in file metadata, using surreal terminology designed to distract security researchers.

The malware’s metadata contained bizarre entries including an original filename of “Hydrarthrus” and company description of “Enlargers pharmakos submatrix,” hallmarks of deliberate obfuscation.

Infection Mechanism

The infection process began with users downloading what appeared to be the legitimate RVTools installer from the official website.

Upon execution, the installer would extract and deploy files normally associated with RVTools, but silently drop the malicious version.dll file into the same directory.

This technique leverages DLL search order hijacking, where Windows preferentially loads DLLs from the application’s directory before checking system paths.

When the application was launched, it would attempt to load the standard version.dll library but instead execute the malicious version with elevated privileges.

The threat actor had apparently compromised the website’s file repository, replacing the legitimate installer with a trojanized version significantly larger in size.

When executed, the malware would establish persistence and attempt to contact command and control servers for further instructions, potentially enabling further payloads to be downloaded onto compromised systems.

Organizations that downloaded RVTools during the compromise window are urged to verify their installer hashes and scan for the presence of unauthorized version.dll files in user directories.

How SOC Teams Save Time and Effort with ANY.RUN - Live webinar for SOC teams and managers