HQ/EMEAFind out how we can help your business
A recent SEO poisoning campaign has spread the Bumblebee malware, initially detected via a fake RVTools website. The campaign is now expanding to include more typosquatting domains that imitate popular open-source IT tools.
Researchers have noted that attackers are exploiting the names of Zenmap, the graphical user interface for the Nmap network scanner, and WinMTR, a widely used traceroute utility.
Both tools are standard among IT professionals who often need administrative rights, making them attractive targets for threat actors looking to breach corporate environments and move laterally across systems.
The Bumblebee malware exploits a couple of domains to target IT employees.
According to investigations, the Bumblebee malware is disseminated through at least two domains named zenmap[.]pro and winmtr[.]org. While the latter seems offline, zenmap[.]pro is still reachable and shows a fake blog when accessed directly. Moreover, the site imitates the real Zenmap website when found through search engine results.
These sites use search engine optimisation (SEO) poisoning to achieve high rankings on platforms like Google and Bing. Unsuspecting users who download files like ‘zenmap—7.97.msi’ or ‘Winmtr.msi’ receive a package that includes the legitimate application alongside a malicious DLL that installs the Bumblebee loader.
Once installed, Bumblebee acts as a backdoor, allowing attackers to gather information on victims and deploy additional payloads, such as infostealers, ransomware, and other malware.
The official RVTools websites—Robware.net and RVTools.com—now feature warnings that caution users against downloading software from unauthorised sources. However, these sites do not currently provide any legitimate download links.
After allegations emerged that the official RVTools site was distributing malware, Dell, a major technology firm, denied involvement. The company clarified it had not hosted trojanized installers and attributed the outages to distributed denial-of-service (DDoS) attacks.
Some cybersecurity analysts suspect these DDoS attacks may have been carried out by the same threat actors responsible for developing Bumblebee, aiming to redirect traffic from official sources to their malicious sites.
To reduce the risk of installing compromised software, experts advise downloading applications exclusively from official sources or trusted package managers and verifying file hashes against known clean versions before installation.
