A recent discovery has revealed the distribution of a trojanized RVTools installer via a malicious typo squatted domain. The domain for RVTools matches the legitimate domain, but the Top-Level Domain (TLD) is changed from .com to .org. According to open-source reporting, the official RVTools website was likely compromised to deliver a malicious installer containing a version.dll file that deploys the Bumblebee malware loader. This malware enables threat actors to gain persistent access, execute additional malicious payloads, steal data, and facilitate ransomware or further attacks within a compromised system.
Once the malicious installer is downloaded, it attempts to make outbound connections to known command and control infrastructure. However, these attempts were intercepted and sinkholed, preventing further analysis of the final payload. The exact timeline of the compromise is unknown, but reports of the malicious installer began emerging in mid-May 2025.
Due to the unknown timeline of the compromise, it is strongly recommended to verify the legitimacy of any RVTools installer downloaded recently. For reference, you can verify the official installer’s hash on Virus Total. ⇒ VirusTotal - File - 0506126bcbc4641d41c138e88d9ea9f10fb65f1eeab3bff90ad25330108b324c
Both legitimate RVTools sites (Robware.net and RVTools.com) are currently down, with no indication of when they will be restored. Helient highly recommends that if you need to download RVTools, only do so from Robware.net and RVTools.com. Avoid performing a search for this application and go directly to one of the mentioned sites. Helient also recommends verifying the installer hash to ensure it matches the official installer hash for this application.
Please do not hesitate to contact Helient should you have questions or require assistance by sending an email to service@helient.com.
1 minute read
