Official Download site for RVTools Hacked

RVTools is a popular free tool offered for VMware vSphere. The main function of RVTools is reporting on the configuration of vCenter Servers, ESXi servers, and the virtual machines (VMs) that reside on a vSphere environment.

Bumblebee is a known malware that has been associated with attacks that has led to ransomware. The group behind Bumblebee was previously part of the now defunct Conti ransomware syndicate.

Recommendations

Truesec has previously warned that Cybercriminals are increasingly targeting IT developers by forking open-source code bundles and add malicious code to the bundle. Now a threat actor has hacked a legitimate site for downloading a software tool and added a malware loader that can lead to ransomware.

RVTools is a free software, developed and maintained by a single developer. While tools such as this can be very useful, the developers of such tools seldom make a lot of money on it and can often not afford sufficient security for their web sites.

To minimize the risk of supply chain attacks from code packages such as this, you must know what software you’re using. Leverage software composition analysis and software bills of materials to inventory your third-party software use.

For sensitive projects, consider introducing a “quarantine” of packages that aren’t immediately needed. The packages should still be reasonably up to date so they can receive security fixes, but integration can often be delayed by a few days.

IT developers are usually entrusted with some of the highest privileges and protecting admin identities is the core of cybersecurity. It is also important to maintain a dialogue between cybersecurity and IT developers in your organization. Informed and aware personnel and clear policies are key factors in defending against social engineering attacks.

References

[1] https://thehackernews.com/2025/05/rvtools-official-site-hacked-to-deliver.html