RVTools official website compromised to distribute malware-laced installer

RVTools official website compromised to distribute malware-laced installer

The official website for RVTools, a popular reporting utility for VMware environments, has been hacked to distribute a malicious installer.

In a statement on its website, Robware, the developer behind RVTools, said that “Robware.net and RVTools.com are currently offline. We are working expeditiously to restore service and appreciate your patience.”

”Robware.net and RVTools.com are the only authorized and supported websites for RVTools software. Do not search for or download purported RVTools software from any other websites or sources.”

The breach came to light after security researcher Aidan Leon discovered that a tampered installer from the official website was being used to sideload a malicious DLL file. The malware in question was identified as Bumblebee, a known loader used in various high-profile cyberattacks to deploy additional payloads, establish persistence, and facilitate ransomware operations.

It remains unclear how long the trojanized installer was available for download and how many users may have unknowingly installed it. Both Robware.net and RVTools.com have since been taken offline as a precautionary measure.

The news comes after the printer manufacturer Procolored has disclosed that its official software was compromised with two types of malware: a Delphi-based backdoor named XRed and a clipboard hijacker called SnipVex. XRed, active since at least 2019, can collect system data, log keystrokes, spread via USB drives, and execute remote commands including file manipulation and screenshot capture. SnipVex is designed to replace cryptocurrency wallet addresses copied to the clipboard with a hardcoded address controlled by the attacker.

Procolored admitted the infected software was uploaded to Mega in October 2024, likely contaminated via USB drives.

“The software hosted on our website was initially transferred via USB drives. It is possible that a virus was introduced during this process. Additionally, as the PrintEXP software is in Chinese by default, some international operating systems may incorrectly flag or misinterpret it as malicious, especially if the system does not handle non-English programs well,” the company explained.

Currently, software downloads are limited to the F13 Pro, VF13 Pro, and V11 Pro printer models.

Back to the list

Latest Posts

Cyber Security Week in Review: June 20, 2025

Cyber Security Week in Review: June 20, 2025

In brief: the Langflow, TP-Link and Zyxel flaws exploited in the wild, Russian hackers use ASPs to infiltrate victims’ email accounts, and more
20 June 2025
Russian-linked hackers exploit Google App passwords in email espionage campaign

Russian-linked hackers exploit Google App passwords in email espionage campaign

Victims were tricked into creating and sharing ASPs under the mistaken belief that they are enabling secure communication with the US Department of State.
19 June 2025
FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

FBI-wanted member of ransomware gang arrested in Ukraine, extradited to the US

Using custom-developed malware, including ransomware such as LockerGoga, MegaCortex, HIVE and Dharma, the hackers encrypted data on corporate networks.
18 June 2025
Popular Posts
Featured vulnerabilities
Denial of service in pure-ftpd
Medium Patched | 21 Jun, 2025
Information disclosure in Python Requests library
Medium Patched | 21 Jun, 2025
Multiple vulnerabilities in sslh
Medium Patched | 21 Jun, 2025
Dell Container Storage Modules update for ingress-nginx
Сritical Patched | 20 Jun, 2025
Cross-site request forgery in 4stats plugin for WordPress
Low Patched | 20 Jun, 2025