Back

Malicious RVTools Installer Exploits Sectigo Certificate to Evade Security Measures

Severity: High (Score: 64.5)

Sources: Gbhackers, Cybersecuritynews

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: rvtools, malicious, installer, sectigo, smartscreen, certificate, fake

Summary

A counterfeit RVTools installer is utilizing a legitimate Sectigo code-signing certificate to bypass Microsoft Defender SmartScreen and other endpoint protections. This malicious software deploys a multi-stage Python-based remote access Trojan (RAT) capable of extensive Active Directory reconnaissance and maintaining persistent command-and-control (C2) access. The attack primarily targets VMware environments, posing a significant risk to IT administrators who rely on RVTools for managing virtual infrastructure. If an administrator is compromised, attackers could gain domain-level control over affected systems. The incident highlights the ongoing challenges of supply chain attacks and the misuse of trusted certificates in cyber threats. As of now, the situation is under investigation, and organizations are urged to remain vigilant. Key Points: • A fake RVTools installer is using a legitimate Sectigo certificate to bypass security. • The malware deploys a Python-based RAT with capabilities for deep AD reconnaissance. • Compromise of VMware administrators can lead to domain-level control for attackers.

Detailed Analysis

**Impact** VMware administrators and enterprises using RVTools are targeted, with potential domain-level compromise in VMware-heavy environments. The attack affects organizations relying on this tool for virtual infrastructure management, risking unauthorized access to Active Directory and persistent command-and-control (C2) access. Specific geographic or sector data is not provided. **Technical Details** The attack uses a fake RVTools installer signed with a legitimate Sectigo code-signing certificate to bypass Microsoft Defender SmartScreen and endpoint controls. It deploys a multi-stage Python-based remote access trojan (RAT) that performs deep Active Directory reconnaissance and maintains persistent C2 communication. No CVEs or specific infrastructure details are mentioned. Indicators of compromise (IOCs) are not provided. **Recommended Response** Defenders should verify the authenticity of RVTools installers and monitor for unusual Python-based processes and network traffic indicative of RAT activity. Endpoint detection rules should be updated to flag executables signed with the Sectigo certificate used in this campaign. Organizations should harden Active Directory monitoring and review SmartScreen bypass attempts. No patch or CVE mitigation is specified.

Source articles (2)

  • Malicious RVTools Installer Uses Sectigo Cert to Evade SmartScreen — Gbhackers · 2026-05-29
    A malicious fake RVTools installer is abusing a legitimately issued Sectigo code‑signing certificate to slip past Microsoft Defender SmartScreen and many endpoint controls, ultimately deploying a mult…
  • Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings — Cybersecuritynews · 2026-05-29
    A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital…

Timeline

  • 2026-05-29 — Malicious RVTools installer identified: A counterfeit version of RVTools was found exploiting a Sectigo certificate to evade security measures.
  • 2026-05-29 — Attack method detailed: The installer deploys a multi-stage Python-based RAT, allowing extensive reconnaissance and persistent access.

Related entities

  • Malware (Attack Type)
  • T1036 - Masquerading (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • Microsoft Defender SmartScreen (Platform)
  • Sectigo (Platform)
  • Windows (Platform)
  • Python (Tool)
  • VMware (Tool)
  • RVTools (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed