The official website for RVTools, a popular VMware reporting utility, was recently compromised to distribute a trojanized installer. The site served a version that sideloaded a malicious DLL known as Bumblebee, a malware loader. This threat was first disclosed by security researcher Aidan Leon after analyzing a downloaded installer from the official website. In response, the developers took RVTools.com and Robware.net offline while launching an internal investigation into the incident.
The company has warned users to avoid downloading the tool from any unofficial sources to prevent further infections. The exact time frame the malicious installer was available for download remains unknown. It is also unclear how many users unknowingly installed the infected version. Until services are restored, users are urged to verify the software’s hash and check for suspicious executions of version.dll.
In a separate incident, another software supply chain breach was discovered in Procolored printers’ installation tools. Researcher Cameron Coward, of the Serial Hobbyism YouTube channel, found two embedded malware variants named XRed and SnipVex. XRed is a Delphi-based backdoor capable of stealing system data and spreading through connected USB drives. It can also perform tasks such as keystroke logging, screenshot capture, and remote file management.
SnipVex, the second malware, is a clipper virus designed to hijack Bitcoin transactions by replacing copied wallet addresses. It inserts the attacker’s wallet address into the clipboard to redirect cryptocurrency transfers. SnipVex modifies .EXE files but uses a unique marker to avoid re-infecting them. Though XRed’s control server was deactivated in February 2024, the infected systems remain at risk from SnipVex. The attacker’s wallet has already received over 9 BTC, totaling nearly $974,000.
Reference:
