{"id":13236,"date":"2026-05-29T10:03:39","date_gmt":"2026-05-29T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/29\/malicious-rvtools-installer-abuses-sectigo-certificate-to-bypass-smartscreen-warnings\/"},"modified":"2026-05-29T10:03:39","modified_gmt":"2026-05-29T10:03:39","slug":"malicious-rvtools-installer-abuses-sectigo-certificate-to-bypass-smartscreen-warnings","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/29\/malicious-rvtools-installer-abuses-sectigo-certificate-to-bypass-smartscreen-warnings\/","title":{"rendered":"Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings"},"content":{"rendered":"<p>    Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital certificate to slip past Windows security warnings without raising a flag.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">RVTools is a staple in enterprise environments. IT administrators rely on it daily to get detailed visibility into virtual machines and infrastructure. Because it is typically run by people with high-level domain access, it made for a perfect impersonation target. <\/p>\n<p class=\"wp-block-paragraph\">Whoever built this fake installer knew that, crafting a campaign to exploit the trust that enterprise teams place in signed software.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Analysts at\u00a0K7 Security Labs\u00a0identified and reported the attack in detail. <a href=\"https:\/\/labs.k7computing.com\/index.php\/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat\/\" id=\"https:\/\/labs.k7computing.com\/index.php\/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat\/\">K7 Security Labs said in a report<\/a> shared with\u00a0Cyber Security News (CSN)\u00a0that the fake installer carried a valid code-signing certificate issued by Sectigo, registered under what appears to be a shell entity called Xiamen Lunwei Huage Network Co., Ltd. <\/p>\n<p class=\"wp-block-paragraph\">At the time of delivery, the certificate was fully valid, meaning Windows SmartScreen and most endpoint controls raised no warnings.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">What followed was a fully structured, three-stage attack. The malware dropped a hidden script inside the installer, ran a quiet reconnaissance sweep of the victim\u2019s system, and established a persistent remote access channel that phoned home every five minutes. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhuN-fBWPyofdIFaKOCU9G-PO0Upg0Md8ikpVuYafJKeheYuS8lbDla8jLHIYR60E4zWxXM9InCcRiuTYzrZK5ERH8tXfBTlCcafn0UMA-Va8sq893LzCe-HgvQc5kGw5GyBsIaIrlbdQfwoxwGXRVZGp5tLhRdOY-KYtJ6jiUq85Wdd1FSi87o5J0_kL8\/s16000\/Execution%2520Flow%2520of%2520RAT%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\" alt=\"Execution Flow of RAT (Source - K7 Security Labs)\"><figcaption class=\"wp-element-caption\">Execution Flow of RAT (Source \u2013 K7 Security Labs)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">For any organization running VMware at scale, a compromised administrator account through this vector is essentially game over.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The certificate has since been revoked. However, this only offers limited protection to environments not enforcing real-time certificate checks at execution. Any environment relying solely on static signature validation would have seen nothing suspicious.<a rel=\"noreferrer noopener\" target=\"_blank\" href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\"><\/a><\/p>\n<h2 id=\"h-sectigo-certificate-used-to-slip-past-smartscreen\" class=\"wp-block-heading\"><strong>Sectigo Certificate Used to Slip Past SmartScreen<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The installer used a digitally signed MSI file paired with a standard End-User License Agreement to build a convincing layer of false legitimacy. <\/p>\n<p class=\"wp-block-paragraph\">Administrators who regularly encounter signed binaries with legal agreements would have little reason to question it. The attacker understood this pattern and exploited it deliberately.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjNFE3ASmPi3-24xPn0jnrq-K2CXX032-A2rYwIl_Dp11SPaycrbYuJeTTC9767h-2pifI6A3V7Q3jh3QbPpCAxOwqtTw34inalHWem4rGwupf2MkYybiJvIPTNHD_5B6FzZdPsGLpCzJsqrlgcjXtEa-3DYUCVEajMDsCLyRt9mgAioXjHhKNg6p65Qxo\/s16000\/Decoded%2520Powershell%2520command%2520from%2520CyberChef%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\" alt=\"Decoded Powershell command from CyberChef (Source - K7 Security Labs)\"><figcaption class=\"wp-element-caption\">Decoded Powershell command from CyberChef (Source \u2013 K7 Security Labs)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">Once a user ran the file and granted administrative privileges, the installer quietly triggered a hidden VBScript stored inside the MSI\u2019s binary table. <\/p>\n<p class=\"wp-block-paragraph\">This script used decimal-to-character encoding to hide its real instructions, ensuring security scanners saw nothing alarming. It then spawned a hidden PowerShell process that downloaded a roughly 33MB archive called winp.zip from a <a href=\"https:\/\/cybersecuritynews.com\/dropbox-phishing-attack-logins\/\" id=\"59414\" target=\"_blank\" rel=\"noreferrer noopener\">Dropbox link and extracted it into the AppData folder<\/a>.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The archive contained a portable Python environment including VS Code, Spyder, Jupyter Lab, and PowerShell, burying malicious scripts among dozens of trusted tools that would appear normal in any file system audit. <\/p>\n<p class=\"wp-block-paragraph\">After a reboot prompt framed as cleaning up installation files, persistence mechanisms activated quietly in the background.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-three-stage-python-rat-deploys-after-installation\" class=\"wp-block-heading\"><strong>Three-Stage Python RAT Deploys After Installation<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Once the system restarted, two Python scripts got to work. The first, collector.py, performed a deep sweep of the host, gathering the hostname, MAC address, user privileges, installed services, running processes, and Active Directory details. <\/p>\n<p class=\"wp-block-paragraph\">It hashed those identifiers into a unique eight-character ID so the attacker could track the victim even across IP address changes. All collected data was saved into a file called configA.json in the temp folder.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The second script, Pmanager.py, encrypted that data using RC4 combined with zlib compression and sent it to one of five hardcoded command-and-control server addresses over HTTP POST requests. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiT2d2Z6CNUA25nfjxF54JIBP015B9r7wYFcUZnc-pw8PBUYxX0p3G0khALZ4MxotR3iQzSdFcANJZXV4eSJIK1ti838eFuIfFMDd6vWkktm63ld4ow0MXSyV3KCxuim3bHf0JUI93XDSQ1HF2-OkvG0KFOOZesPTmbtj6mNSHld4Jn-LpVyfplCCJ4HsY\/s16000\/System%2520Environment%2520%26%2520Persistence%2520Manager%2520%28Source%2520-%2520K7%2520Security%2520Labs%29.webp?ssl=1\" alt=\"System Environment &amp; Persistence Manager (Source - K7 Security Labs)\"><figcaption class=\"wp-element-caption\">System Environment &amp; Persistence Manager (Source \u2013 K7 Security Labs)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The RAT beaconed every 300 seconds and could receive instructions to run executables, launch PowerShell commands, download additional payloads, or remove itself from the machine entirely. <\/p>\n<p class=\"wp-block-paragraph\">To survive reboots, it wrote a Windows Registry Run entry and created a scheduled task running with SYSTEM-level privileges.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Organizations using VMware should verify that any RVTools installer was downloaded directly from the official website at robware.net. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/security-teams-shrink-as-automation-rises\/\" id=\"100650\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams are advised to monitor for unexpected winp.zip files<\/a> in AppData directories, watch for Python processes launched from unusual paths, and enforce real-time certificate revocation checks at execution. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/badiis-malware-turns-hijacks-iis-servers\/\" id=\"150551\" target=\"_blank\" rel=\"noreferrer noopener\">Blocking outbound connections to unknown IP addresses<\/a> from administrative workstations adds meaningful protection against attacks like this one.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/678e8f63-81fb-469e-a72c-15c90c4ad990\/Malicious-RVTools-Installer-Abuses-Sectigo-Certificate-to-Bypass-SmartScreen-Warnings.pdf?AWSAccessKeyId=ASIA2F3EMEYEZVW43GAZ&amp;Signature=F9mNY9UpGGFA8Q6BPQHKQ%2FGu9bo%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEPX%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIQDJkzBWrQxXbx0tobTiGPq%2BGN2TDy1s5jD%2F3ntvuRgKOQIgZLKnA15L72grJE%2BlR18RAel4RHWOPl7JXaXzGds7L4Eq%2FAQIvv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDOXq%2F5aloQ3twubMIyrQBJ5aAQsXwdqw8mUjNmQBgqQP31ef0Q0JZEAno0uupdVAqx16OjoNq6AHTvh%2FHEqiB1klgMklgqltjmbc94jP7gUdQ4d1247DBZBOqssowZLVVA7pcySm%2BTb7718uxVTEahlFYJ3S6ksba16aQrpNLH%2B3i7LhKu%2FiIuvxZTfM8PCLb6udDesJTACqfGttyOjVHEmvbvgRFyzLb2b7XU3Gd%2BvuxJkaD8BlgyOPgHtFLgDhVhh%2FhuAXSKKzEtEP8dOaINsQzpnE0nkYWm4bPiu6CDvaK%2FVf2kO2RmRwikwUWo8sdKZuNLcAbJujZ8M1nzdQkJu57x4j%2FCTbEVKJPGj6TuIWgqOrCsg4uNiowGwhrDbcRftJLKdPnXnDSpKm7xzUmtWVCTSd3ZRIj2Bqavtwm1FOTCEyuSrgOMtDy206HQZJMQwKFncjtRFBIJPLce%2BGLUhYILbNdH8B686KgdTi9mpHWqXjdcfVNCyds7jrR4kdxDjRaIKBr%2BEnouLbsHctx4yyE0%2Bt%2BaK8cVwp42OM3cLT1oktpz2Hoeb0y%2BhAD9HPeJIt%2BOKSbjO7redqXvojmNw4yUED%2B90Z74MwBzJES0a7GEepRM089cEQhqoJZe4rCGBQdAYeeziejRSwLVCKoRRkVy7wb0HnL8aXpliGOHjdMCofmpCxA6R2n%2FUmny1hLUEIiDdaRyGmKWJYtRB1fmK1FP1ilNgZ39Bu2kqUsbxYRTSrHkpuf45OHzf5eWH9279c7ohrYG%2BkYKoq6b5rWcugWlhOx6rtle95vWHTqdcwkavk0AY6mAHGyBAQyuNnYJUWbFz8GKt9vYcELkrSqT3%2BTR4D76F3JBPJBTK0ygGrghlO5xXB6bhAySh8fUlQ2CW66Hax0bDgXKt%2BhgRgGxa4ulHgIcpSp0N%2BsBYaUZhWraLyewmFj3CMeCcNYg9jTaRThBnQrVjL2NmhhBt1EEZijVFgc8LO%2B5xSDYqpNhUmzIfH%2F3v9khDRVe%2FYUrbtaA%3D%3D&amp;Expires=1780031293\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>File Hash (MD5)<\/td>\n<td>64bda120cb447e0c03f451190022a57b<\/td>\n<td>Malicious RVTools MSI installer<\/td>\n<\/tr>\n<tr>\n<td>File Hash (SHA256)<\/td>\n<td>d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4<\/td>\n<td>Malicious RVTools MSI installer<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>Binary.MyScript.vbs<\/td>\n<td>Embedded VBScript loader inside MSI binary table<\/td>\n<\/tr>\n<tr>\n<td>File Hash (MD5)<\/td>\n<td>01A115C6F6BA3837234202A1E0D28BDC<\/td>\n<td>Binary.MyScript.vbs \u2013 Trojan (0001140e1)<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>Pmanager.py<\/td>\n<td>Python C2 persistence and communications agent<\/td>\n<\/tr>\n<tr>\n<td>File Hash (MD5)<\/td>\n<td>71085940124AD3C035A181ACADC10362<\/td>\n<td>Pmanager.py \u2013 Trojan (0001140e1)<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>collector.py<\/td>\n<td>Python reconnaissance and data collection module<\/td>\n<\/tr>\n<tr>\n<td>File Hash (MD5)<\/td>\n<td>9192D18A955A9D03E2C70B60AAC1784A<\/td>\n<td>collector.py \u2013 Trojan (0001140e1)<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>winp.zip<\/td>\n<td>Malicious payload archive downloaded from Dropbox (~33MB)<\/td>\n<\/tr>\n<tr>\n<td>File Name<\/td>\n<td>configA.json<\/td>\n<td>JSON file storing collected host reconnaissance data<\/td>\n<\/tr>\n<tr>\n<td>Certificate Issuer<\/td>\n<td>Xiamen Lunwei Huage Network Co., Ltd. (Sectigo)<\/td>\n<td>Shell entity used to obtain fraudulent code-signing certificate<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/malicious-rvtools-installer-abuses-sectigo-certificate\/\">Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/malicious-rvtools-installer-abuses-sectigo-certificate\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious RVTools Installer Abuses Sectigo Certificate to Bypass SmartScreen Warnings A trusted tool for VMware administrators has been weaponized. Attackers built a fake version of RVTools, a widely used utility for managing virtual infrastructure, and disguised it with a real digital certificate to slip past Windows security warnings without raising a flag. RVTools is a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13236","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13236"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13236"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13236\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13236"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13236"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13236"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}