At Spinnaker Support, your security is our priority. While RVTools is not software we directly support, and not a VMware product, its widespread use as a third-party tool among VMware customers compels us to issue this urgent advisory.
What’s Happening?
RVTools, a commonly used vSphere inventory and reporting utility, has been compromised and weaponized by threat actors. This includes trojanized installers, SEO poisoning tactics, and the use of malicious DLLs designed to infiltrate and persist within virtualized environments.
Our cybersecurity team has identified multiple ongoing malware campaigns leveraging this tool, making it unsafe for any further use or download.
Update: The official RVTools site (robware.net) has since been taken offline. However, the duration of the breach remains unknown. It is currently surmised that the site was actively serving the compromised software on Monday, May 12, between 8:00 AM and 11:00 AM.
Our Recommendation: Stop Using RVTools Immediately
Effective immediately, Spinnaker strongly advises:
• Avoid downloading RVTools from any public site
• Discontinue all internal use of RVTools
• Uninstall all existing versions from your environment
• Run a full malware scan on all applicable systems
This guidance applies to all VMware users, including contractors and partners.
How the Tool Has Been Compromised
Here’s a breakdown of the known attack vectors and associated threats:
1. Compromised Installer on the Official Site
The official RVTools site (robware.net) was found to be serving a compromised installer embedded with Bumblebee Malware Loader. The site has since been taken down, but the duration of the breach remains unknown.
Help Net Security coverage
2. Trojanized Variants with Persistent Backdoors
Attackers used manipulated installers laced with the SMOKEDHAM backdoor, allowing them to compromise hypervisors and maintain persistent access to virtualized environments.
Read Synacktiv’s case study
3. SEO Poisoning and Fake Sites
With robware.net offline, threat actors have launched fake clone sites (e.g., rvtools[.]org) which are showing up at the top of Google results. These sites are distributing weaponized versions of RVTools designed to appear legitimate.
More on SEO poisoning tactics
DO NOT download RVTools from rvtools[.]org or any other unofficial domain. These clones are malicious.
What You Should Do Now
For the ongoing safety of your infrastructure, we recommend the following steps:
• Avoid all downloads of RVTools from public domains
• Discontinue use of RVTools immediately
• Remove all existing installations
• Conduct a thorough malware scan across all applicable systems
• Share this advisory with your VMware teams, contractors, and partners
How Spinnaker Can Help
This incident underscores why Spinnaker takes a proactive, multilayered approach to security. Our clients benefit from built-in protection through Spinnaker Shield, which includes:
• Real-time threat monitoring
• Security hardening guidance
• Advisory support for vulnerability management—even in unsupported software environments
If you need help identifying safe alternatives to RVTools or would like support in securing your VMware infrastructure, we’re here to guide you.
This advisory was authored by Stephen Bond, Senior Technical Analyst at Spinnaker Support. Version 1.0 | Security Advisory issued May 19, 2025
