A recent supply chain attack targeting RVTools, a widely used VMware vSphere management utility, resulted in the distribution of trojanized installers delivering the Bumblebee malware loader to enterprise users. The malware was propagated through fake domains mimicking Dell’s official distribution channels, escalating concerns about targeted threats in the virtualization ecosystem.
RVTools, developed by Robware and now owned by Dell, is trusted by VMware administrators for infrastructure reporting. However, threat actors exploited this trust by creating typo-squatted domains that distributed malicious versions of the installer.
“Further investigation revealed a mismatch between the file hash listed on the RVTools website and the actual file being downloaded,”
— Aidan Leon, ZeroDay Labs
According to ZeroDay Labs researcher Aidan Leon, the malicious installer contained a trojanized version.dll that initiated the Bumblebee malware loader. The legitimate RVTools websites—rvtools.com and robware.net—were subsequently taken offline due to denial-of-service (DDoS) attacks and have not yet returned.
“Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience,”
— Message displayed on the official websites
Dell has denied that the malicious installer was distributed through its official platforms. A company spokesperson emphasized that the malicious files likely originated from fake lookalike domains designed to deceive users through SEO poisoning and malvertising.
“Our investigation has not identified any indications to suggest a compromise of these websites or the software available for download there.”
— Dell Technologies
Despite Dell’s statement, researchers maintain that they observed suspicious activity directly from the RVTools website, including the presence of malware-laced installers and changes in file hashes. Leon stated the website was likely compromised on May 12 before being temporarily restored with clean files.
The Bumblebee malware, linked to ransomware groups like Conti and Black Basta, is known for deploying payloads such as Cobalt Strike, information stealers, and ransomware variants. The malware allows initial access to corporate networks, making this supply chain compromise especially dangerous for enterprise environments.
“The malware has been tied to the Conti ransomware operation… many of its members split off into other ransomware operations who likely still have access to the tooling.”
Additional analysis by cybersecurity firm Arctic Wolf confirmed the existence of typosquatted domains with altered top-level domains (.org instead of .com), distributing the same trojanized RVTools software.
“Arctic Wolf has recently observed the distribution of a trojanized RVTools installer via a malicious typosquatted domain,”
— Arctic Wolf Labs
Security experts strongly advise users who have recently installed RVTools to validate their software against VirusTotal and verify hashes before execution. Organizations should perform deep forensic analysis if any signs of compromise are detected.
“If you downloaded software from these domains, there is a good chance your device is infected with the Bumblebee malware and possibly additional payloads.”
This incident underlines the critical importance of supply chain threat detection and integrity verification, especially when using trusted tools in high-privilege environments like VMware infrastructure.
