Signed Fake RVTools Installer Deploys Python RAT on VMware Admin Systems
Researchers reported a malware campaign distributing a trojanized RVTools installer signed with a legitimately issued Sectigo code-signing certificate linked to Xiamen Lunwei Huage Network Co., Ltd., allowing the malicious MSI to appear trusted and reduce SmartScreen-style warnings. The installer abused MSI Custom Actions to run an obfuscated VBScript loader, which launched hidden PowerShell and downloaded a roughly 33 MB archive, winp.zip, from Dropbox into AppData, where staged components unpacked a modular Python remote access trojan.
After reboot, the malware executed collector.py and Pmanager.py to gather host and Active Directory data, save it to configA.json, and exfiltrate the information after RC4 encryption and zlib compression via HTTP POST to one of five hardcoded command-and-control servers every 300 seconds. The RAT also enabled command execution and payload delivery, while persistence was established through a Registry Run key and a scheduled task running as SYSTEM; researchers warned the campaign is especially dangerous because RVTools is widely used by VMware administrators with elevated privileges, and noted that certificate revocation may not stop execution in environments that do not enforce real-time OCSP or CRL checks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Seqrite links XenoRAT campaign against Afghan finance entities to SideCopy
Seqrite Labs reported a spear-phishing campaign targeting Afghanistan’s Ministry of Finance and provincial finance offices, attributing it with medium-to-high confidence to the Pakistan-linked SideCopy cluster under Transparent Tribe/APT36. The intrusion used Pashto-language lures, mshta-based payload delivery from a compromised Afghan education domain, and ultimately deployed XenoRAT 1.8.7 with persistence.
Sectigo code-signing certificate used in RVTools campaign is revoked
The reporting states that the code-signing certificate abused to sign the fake RVTools installer was later revoked. The sources note that revocation may not fully protect systems that do not enforce real-time OCSP or CRL checks.
Attackers distribute signed fake RVTools installer with Python RAT
Researchers reported a malware campaign distributing a trojanized RVTools MSI signed with a legitimately issued Sectigo certificate tied to Xiamen Lunwei Huage Network Co., Ltd. The installer used staged scripts to download additional payloads, establish persistence, collect host and Active Directory data, and beacon to hardcoded command-and-control servers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Fake RVTools Installer Deploys Modular Python RAT
securityonline.info
Open sourceOperation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceMalicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings
cybersecuritynews.com
Open sourceRVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT - Malware Analysis - Malware Analysis, News and Indicators
malware.news
Open sourceRVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT - K7 Labs
labs.k7computing.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Fake Software Downloads Deliver STX RAT and Vjw0rm via Layered Dropper Chains
Security researchers reported two malware campaigns using fake or trojanized software downloads to install remote access trojans with credential theft and persistence features. eSentire identified a previously undocumented **STX RAT** after an attempted intrusion against a finance-sector organization, where a browser-downloaded VBScript launched a multi-stage loader chain using **XXTEA** and **Zlib** unpacking, anti-analysis checks, and several persistence methods. The malware supports **HVNC**, in-memory payload execution, tunneling, screenshots, security-tool inventory, and theft of browser credentials, cookies, Windows Vault data, FTP client secrets, and cryptocurrency wallets. Its command-and-control design uses **X25519 ECDH**, **Ed25519**, **HKDF-SHA256**, and **ChaCha20-Poly1305** over a custom TCP protocol, with infrastructure reachable over both the clear web and **Tor**. A separate investigation by Breakglass Intelligence found a fake software keygen packaged as a malicious WinRAR self-extracting archive that deployed the **Vjw0rm** JavaScript RAT through a four-layer dropper chain. The infection used nested SFX archives, a compiled AutoHotkey loader, parallel payload paths, and three persistence mechanisms, while abusing `upaste[.]me` as a dead-drop service and hiding the RAT as an XML file later renamed to JavaScript for execution. Researchers said the operator appeared to be a Turkish-speaking commodity cybercrime actor relying on reused tooling, deceptive file paths, and bundled legitimate Windows files to evade detection, underscoring how software cracks, keygens, and trojanized installers remain effective delivery vectors for RATs and infostealers.
Apr 25, 2026
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026