Looking to trusted tools such as Zenmap or WinMTR for network diagnostic tasks has become routine for many IT professionals. However, that routine is being exploited by malicious actors through a new SEO poisoning campaign that uses fake domains to distribute the Bumblebee malware. The recently discovered campaign not only masquerades as RVTools, but has begun to mimic other known open source projects through typosquatting techniques, tricking users into downloading malicious installers from sites that appear legitimate.
In this tactic, specific cases have been identified where the name of Zenmap (the graphical interface of the Nmap network scanner) and WinMTR, a tracing utility widely used in enterprise environments, are abused. These tools often require administrative privileges, making those who use them ideal targets for attackers: users with privileged access who can be the perfect gateway to compromise an entire corporate network.
What might seem like a simple Google search to download a technical tool can become the first step towards a devastating infection.
How fake sites trick you with near-perfect clones
The Bumblebee malware has been distributing through at least two websites: zenmap[.]pro and winmtr[.]org. Although the latter is no longer online, the former still works and displays what appears to be a fake blog about Zenmap if you go straight in.
But the trick is in how you get to the site. If you access zenmap[.]pro from the search results, what you see is an almost identical copy of the official Nmap site (Network Mapper). In other words, everything is designed to look legitimate so that you don't suspect anything.
Fake nmap website offering installers infected with Bumblebee
Both sites managed to attract visits thanks to SEO poisoning techniques, appearing among the first results in Google and Bing when people searched for related terms.
.webp?width=1468&height=1362&name=winmrt(1).webp)
Google search results
When visiting the fake Zenmap site directly, what appears is a series of articles clearly generated by artificial intelligence. But the real problem is in the download section.
That's where files like “zenmap-7.97.msi” and “WinMTR.msi” are offered, which come disguised as legitimate installers. The worrying thing is that most antivirus engines in VirusTotal do not even detect these files as malicious.
When someone installs one of these programs, yes, the promised application is installed... but along with it sneaks in a malicious DLL. This is exactly what had already happened with RVTools: the installer includes a Bumblebee loader, which silently installs itself on the user's computer.
Once inside, that loader leaves open a backdoor that attackers can use to scan the system, steal data or drop even more dangerous payloads such as ransomware, information stealers or any other malware.
And they haven't just limited themselves to network tools. This same campaign has also been targeting people looking to download Hanwha WisenetViewer security camera management software. In addition, a researcher at Cyjax, discovered that they are also distributing a Trojanized version of Milestone XProtect, another video management software, through the milestonesys[.]org site, which is still online.
Load of AI-generated blogs in direct visits (Source: BleepingComputer)
Read more: Social Engineering + User Experience: The Hackers' Formula
RVTools official site offline
Both Robware.net and RVTools.com, the official RVTools sites, still do not offer the installer for download. In fact, they now only display a warning asking users not to download the tool from unofficial sites, but without giving a direct or safe alternative.
This comes after the site was accused of distributing a malware version, something that Dell Technologies strongly denied. According to the company, its sites were not hosting any Trojanized version of the software.
Dell explained that the sites were taken offline because they were being targeted by DDoS (distributed denial of service) attacks.
One possible theory is that the group behind the Bumblebee malware could be behind these attacks. Why? Quite simply: if they remove legitimate download sources, users looking for RVTools will end up falling into the traps of the fake sites they control.
To avoid falling into these traps, the best thing you can do is to always download software from official sources or trusted repositories, such as verified package managers. And, if you want to be even safer, check the installer hash before opening it to make sure it hasn't been modified. An extra step that can save you a lot of trouble.