A new SEO poisoning campaign distributing Bumblebee malware is targeting IT professionals by impersonating popular open-source tools like RVTools, Zenmap, and WinMTR. The campaign uses typosquatting domains such as zenmap[.]pro, winmtr[.]org, and milestonesys[.]org to deliver malicious installers. These websites often appear high in search engine results, increasing the risk of accidental downloads by unsuspecting users. The fake installers deliver the legitimate application bundled with a malicious DLL that installs the Bumblebee loader, which can enable further attacks like ransomware or data theft.
When visited directly, these malicious sites display harmless blog content, but redirected users see cloned versions of official websites with download links for trojanized software. Antivirus detection of these payloads is currently low. The campaign also targets users seeking Hanwha’s WisenetViewer and Milestone XProtect software.
Meanwhile, official RVTools sites have been taken offline amid DDoS attacks and allegations of malware distribution—claims denied by Dell Technologies. Experts advise users to always download software from official sources and verify file integrity using known hashes.