Malicious RVTools installer found on official site, researcher warns

The official site for RVTools has apparently been hacked to serve a compromised installer for the popular utility, a security researcher has warned.

It’s difficult to say how long the malicious version has been available for download, but the website has been offline since Friday, and began showing the following notice over the weekend:

Screenshot of website notice (Source: Help Net Security)

Malicious RVTools installer delivers malware

RVTools is a free Windows-based utility that helps admins collect and analyze information from VMware vSphere environments, more specifically: info about virtual machines and hosts, datastores, disks and virtual network interface cards, networks and virtual switches, and VM snapshots.

Originally developed by Rob de Veij and later acquired by Dell Technologies, RVTools has a long-standing reputation in the VMware ecosystem, which is part of the reason why malware peddlers are constantly targeting users looking for it online.

They usually use lookalike domains and malicious Google ads to trick them into downloading malware posing as RVTools. But this time around they’ve also apparently managed to compromise the tool’s official site.

Security researcher Aidan Leon sounded the alarm on Thursday.

“On May 13 2025, our security operations team responded to a high-confidence alert from Microsoft Defender for Endpoint. An employee had attempted to install RVTools—a trusted VMware environment reporting utility. Within moments of launching the installer, Defender flagged a suspicious file: version.dll, which was attempting to execute from within the same directory as the installer itself,” he said.

He confirmed for Help Net Security that the source of the malicious installer was the official RVTools website (at Robware.net), and that Defender picked up the infected install of RVTools at 2:11PM on Monday.

“I went ahead and checked the file against VirusTotal (…) and it seems like the RVTools variant was first submitted to VirusTotal on Monday (5/12), leading me to believe the website was first compromised Monday between 8am-11am. Around 3pm on Tuesday, the website was taken down and re-uploaded with a safe download of RVTools,” he told us.

By Leon’s account, the malicious installer was larger than the legitimate one and the threat actors did not bother to change the original, published hash of the latter. “When [the site] came back online, the download had changed: the file size was smaller, and the hash now matched the clean version listed on the site.”

On Friday, the site was offline again, with no explanation. We reached out to Dell with questions about the apparent compromise, but have yet to hear back from them.

Fake RVTools site ranks high in search results

VirusTotal says that the malicious installer contains the Bumblebee malware loader, often used by threat actors to gain initial access and deliver ransomware payloads and post-exploitation frameworks.

The notice on the official RVTools site warns agains searching for or downloading “purported RVTools software from any other websites or sources” – and rightly so: a simple Google search for “RVTools download” currently shows rvtools[.]org – a RVTools lookalike domain and site that proclaims to be the official one – as the first result (not as an ad!).

According to VirusTotal, the RVTools installer offered for download on that site is malicious:

VirusTotal scan results (Source: Help Net Security)

Obviously, the usual advice of downloading software from official sites is unlikely to be of much help in this case.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!