The attackers used a modified installer to deliver the malware. Bumblebee is a well-known loader often used in ransomware operations and other serious cyberattacks.
Malware Detected by Microsoft Defender
Security teams were alerted when Microsoft Defender for Endpoint flagged unusual behavior linked to a file named version.dll. This file was found in the same directory as the RVTools installer.
Although the installer looked normal, it contained hidden malicious code that ran as soon as the installation was complete.
Experts later confirmed that the installer’s hash did not match the original file hosted on RVTools’ official site, a clear sign it had been tampered with.
Identifying the Malware
Cybersecurity analysts from ZERODAY LABS identified the malware as a custom version of Bumblebee. This malware is often used by threat actors to gain initial access before launching ransomware or other malicious payloads.
A VirusTotal scan showed that 33 out of 71 antivirus engines flagged the installer as dangerous, confirming the serious nature of the threat.
How the Attack Worked
The infection started when users downloaded the compromised installer from what appeared to be the official RVTools website.
Once run, the installer performed its usual functions, but silently dropped a malicious version.dll file into the application directory.
This method relied on a known Windows behavior called DLL search order hijacking. Windows loads DLLs from the application folder first, so it would execute the fake DLL instead of the legitimate one, giving the malware elevated access.
Obfuscation and Evasion Tactics
To avoid detection, the attackers used strange and misleading metadata in the malware files. These included bizarre file names and company descriptions like “Hydrarthrus” and “Enlargers pharmakos submatrix”, intended to confuse analysts.
Response and Recommendations
The malicious version of the RVTools installer was available for about an hour before the compromised website was taken offline. It was later restored with clean files that matched official hash values.
Security experts urge organizations that downloaded RVTools on May 13 to:
- Check the hash of the installer file against the official version.
- Look for any unexpected version.dll files in the RVTools directory.
- Scan systems for indicators of compromise and monitor for suspicious behavior.
This incident highlights the growing risk of supply chain attacks, especially those targeting tools commonly used in enterprise environments.
