Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Fake RVTools Installer Exploits Certificate to Evade Security

Fake RVTools Installer Exploits Certificate to Evade Security

Posted on May 29, 2026 By CWS

A ubiquitous tool among VMware administrators has been exploited by cyber criminals. They developed a counterfeit version of RVTools, a key utility for managing virtual infrastructure, cleverly disguising it with a legitimate digital certificate. This tactic allowed them to bypass Windows security alerts without detection.

Exploitation of Trusted Software

RVTools is integral in enterprise settings, providing IT teams with comprehensive insights into virtual environments. Its reputation and the high-level access it requires made it an ideal target for attackers. The perpetrators behind this fraudulent installer capitalized on the trust typically afforded to signed software within enterprise systems.

K7 Security Labs first identified the issue, revealing in reports shared with Cyber Security News that the rogue installer utilized a genuine code-signing certificate from Sectigo. This certificate was issued to an entity named Xiamen Lunwei Huage Network Co., Ltd., which appears to be a shell company.

Methodology of the Attack

The attack was executed in three stages. Initially, the installer concealed a script that performed a reconnaissance of the victim’s system, establishing a covert remote access channel that communicated every five minutes. The digital certificate was valid during the attack, allowing it to slip past Windows SmartScreen and other endpoint defenses unnoticed.

Although the certificate has been revoked, environments not enforcing real-time certificate checks remain vulnerable. Static signature validation would not have flagged the installer as suspicious, highlighting the need for robust security measures.

Consequences and Protective Measures

The installer employed a digitally signed MSI file and a standard End-User License Agreement to create a false sense of legitimacy. Administrators familiar with signed software and legal agreements were unlikely to question its authenticity, which the attackers exploited.

Upon execution, the installer ran a hidden VBScript from the MSI’s binary table, using encoding techniques to mask its true function. This script initiated a hidden PowerShell process that downloaded a malicious archive, blending harmful scripts with trusted applications to avoid detection.

The attack continued after a system reboot, deploying two Python scripts. The first, collector.py, gathered detailed system information, while the second, Pmanager.py, encrypted and transmitted this data to remote servers. These scripts were designed to persist through system reboots by creating registry entries and scheduled tasks with elevated privileges.

Security Recommendations

Organizations using VMware should ensure RVTools installers are sourced directly from the official site. Security teams should monitor for unexpected files like winp.zip in the AppData directory and unusual Python processes. Implementing real-time certificate revocation checks at execution is crucial for defense against such attacks.

Blocking outbound connections from administrative workstations to unrecognized IP addresses can further safeguard against these threats. Indicators of compromise include specific file hashes and names detailed in the IoC section, which should be used to enhance security monitoring and response strategies.

For more cybersecurity updates, follow us on Google News, LinkedIn, and X. Set Cyber Security News as a preferred source for instant alerts.

Cyber Security News Tags:cyber attack, Cybersecurity, digital certificate, fake installer, Malware, remote access, RVTools, Sectigo certificate, SmartScreen, VMware

Post navigation

Previous Post: Kimsuky Expands Cyber Arsenal with New Techniques
Next Post: Samba Vulnerability Enables Severe Remote Code Execution

Related Posts

Apple’s Urgent iOS 15.8.7 Update Counters Exploit Threat Apple’s Urgent iOS 15.8.7 Update Counters Exploit Threat Cyber Security News
Ransomware Disrupts BridgePay’s Nationwide Payment Processing Ransomware Disrupts BridgePay’s Nationwide Payment Processing Cyber Security News
fsnotify Go Library Maintainer Changes Spark Security Concerns fsnotify Go Library Maintainer Changes Spark Security Concerns Cyber Security News
AI Pentesting Tool that Autonomously Checks for Code Vulnerabilities and Executes Real Exploits AI Pentesting Tool that Autonomously Checks for Code Vulnerabilities and Executes Real Exploits Cyber Security News
OpenAI Launches Expanded Cyber Defense with GPT-5.4-Cyber OpenAI Launches Expanded Cyber Defense with GPT-5.4-Cyber Cyber Security News
Threat Group ‘Crimson Collective’ Allegedly Claim Breach of Largest Fiber Broadband Brightspeed Threat Group ‘Crimson Collective’ Allegedly Claim Breach of Largest Fiber Broadband Brightspeed Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Microsoft Fixes 570 Vulnerabilities in Major Update
  • Synopsys Denies Data Breach Amid Bosch Hack Allegations
  • Exploit in Microsoft Entra Allows Credential Validation
  • Critical Vulnerability in Claude Extension Exposes Google Data
  • Adobe Releases Critical Security Updates for ColdFusion

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark