A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital certificate to slip past Windows security warnings without raising a flag.
RVTools is a staple in enterprise environments. IT administrators rely on it daily to get detailed visibility into virtual machines and infrastructure. Because it is typically run by people with high-level domain access, it made for a perfect impersonation target.
Whoever built this fake installer knew that, crafting a campaign to exploit the trust that enterprise teams place in signed software.
Analysts at K7 Security Labs identified and reported the attack in detail. K7 Security Labs said in a report shared with Cyber Security News (CSN) that the fake installer carried a valid code-signing certificate issued by Sectigo, registered under what appears to be a shell entity called Xiamen Lunwei Huage Network Co., Ltd.
At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint controls raised no warnings.
What followed was a fully structured, three-stage attack. The malware dropped a hidden script inside the installer, ran a quiet reconnaissance sweep of the victim’s system, and established a persistent remote access channel that phoned home every five minutes.
For any organization running VMware at scale, a compromised administrator account through this vector is essentially game over.
The certificate has since been revoked. However, this only offers limited protection to environments not enforcing real-time certificate checks at execution. Any environment relying solely on static signature validation would have seen nothing suspicious.
Sectigo Certificate Used to Slip Past SmartScreen
The installer used a digitally signed MSI file paired with a standard End-User License Agreement to build a convincing layer of false legitimacy.
Administrators who regularly encounter signed binaries with legal agreements would have little reason to question it. The attacker understood this pattern and exploited it deliberately.
.webp)
Once a user ran the file and granted administrative privileges, the installer quietly triggered a hidden VBScript stored inside the MSI’s binary table.
This script used decimal-to-character encoding to hide its real instructions, ensuring security scanners saw nothing alarming. It then spawned a hidden PowerShell process that downloaded a roughly 33MB archive called winp.zip from a Dropbox link and extracted it into the AppData folder.
The archive contained a portable Python environment including VS Code, Spyder, Jupyter Lab, and PowerShell, burying malicious scripts among dozens of trusted tools that would appear normal in any file system audit.
After a reboot prompt framed as cleaning up installation files, persistence mechanisms activated quietly in the background.
Three-Stage Python RAT Deploys After Installation
Once the system restarted, two Python scripts got to work. The first, collector.py, performed a deep sweep of the host, gathering the hostname, MAC address, user privileges, installed services, running processes, and Active Directory details.
It hashed those identifiers into a unique eight-character ID so the attacker could track the victim even across IP address changes. All collected data was saved into a file called configA.json in the temp folder.
The second script, Pmanager.py, encrypted that data using RC4 combined with zlib compression and sent it to one of five hardcoded command-and-control server addresses over HTTP POST requests.
.webp)
The RAT beaconed every 300 seconds and could receive instructions to run executables, launch PowerShell commands, download additional payloads, or remove itself from the machine entirely.
To survive reboots, it wrote a Windows Registry Run entry and created a scheduled task running with SYSTEM-level privileges.
Organizations using VMware should verify that any RVTools installer was downloaded directly from the official website at robware.net.
Blocking outbound connections to unknown IP addresses from administrative workstations adds meaningful protection against attacks like this one.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (MD5) | 64bda120cb447e0c03f451190022a57b | Malicious RVTools MSI installer |
| File Hash (SHA256) | d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4 | Malicious RVTools MSI installer |
| File Name | Binary.MyScript.vbs | Embedded VBScript loader inside MSI binary table |
| File Hash (MD5) | 01A115C6F6BA3837234202A1E0D28BDC | Binary.MyScript.vbs – Trojan (0001140e1) |
| File Name | Pmanager.py | Python C2 persistence and communications agent |
| File Hash (MD5) | 71085940124AD3C035A181ACADC10362 | Pmanager.py – Trojan (0001140e1) |
| File Name | collector.py | Python reconnaissance and data collection module |
| File Hash (MD5) | 9192D18A955A9D03E2C70B60AAC1784A | collector.py – Trojan (0001140e1) |
| File Name | winp.zip | Malicious payload archive downloaded from Dropbox (~33MB) |
| File Name | configA.json | JSON file storing collected host reconnaissance data |
| Certificate Issuer | Xiamen Lunwei Huage Network Co., Ltd. (Sectigo) | Shell entity used to obtain fraudulent code-signing certificate |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.