<div id="post_message_793408">

The Bumblebee SEO poisoning campaign uncovered earlier this week <a href="https://www.bleepingcomputer.com/news/security/trojanized-rvtools-push-bumblebee-malware-in-seo-poisoning-campaign/" target="_blank">abusing the RVTools brand</a> is using more typosquatting domains mimicking other popular open-source projects.<br/>
<br/>
BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility.<br/>
<br/>
The Bumblebee malware loader has been pushed through at least two domains - zenmap[.]pro and winmtr[.]org. While the latter is currently offline, the former is still online and shows a fake blog page about Zenmap when visited directly.<br/>
<br/>
When users are redirected to zenmap[.]pro from from search results, though, it shows a clone of the legitimate website for the nmap (Network Mapper) utility:<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/nmappage.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Fake nmap website delivering Bumblebee-infested installers

</td>
</tr>
</table>
</div>The two sites received traffic through SEO poisoning and rank high in Google and Bing search results for the associated terms.<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/winmrt(1).jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Google Search results

</td>
</tr>
</table>
</div>If anyone visits the fake Zenmap site directly, it shows several with AI-generated articles, as seen in the image below:<br/>
<br/>
<img alt="" border="0" class="bbCodeImage" src="https://www.bleepstatic.com/images/news/u/1220909/2025/May/zenmap-blog.jpg"/><br/>
<div style="margin:20px; margin-top:5px; ">
<!-- <div class="smallfont" style="margin-bottom:2px">Quote:</div> -->
<table border="0" cellpadding="6" cellspacing="0" width="100%">
<tr>
<td class="alt2" style="background: rgb(37, 37, 37) none repeat scroll 0% 0%; border: 1px solid rgb(0, 0, 0); border-radius: 5px; font-size: 11px; text-shadow: none;">

Innocuous blog loading on direct hits

</td>
</tr>
</table>
</div>The payloads delivered through the download section ‘zenmap-7.97.msi’ and ‘WinMTR.msi, and they both evade detection from most antivirus engines on VirusTotal [<a href="https://www.virustotal.com/gui/file/5afe56d224c629d7b7b3c496665ecf373323c4afa44f6701d1 924e44448d08c1" target="_blank">1</a>, <a href="https://www.virustotal.com/gui/file/02197c23af1f99c3fa41d52f7f925e47ae5bfb5e604314d193 82b1bb7112463f" target="_blank">2</a>].<br/>
The installers deliver the promised application along with a malicious DLL, as in the case of RVTools, which drops a <a href="https://www.virustotal.com/gui/file/783a4034e44f58427a248454ade7ab09c4099414bb0a385ca3 2d8b263cd21ae4/detection" target="_blank">Bumblebee loader</a> on users' devices.<br/>
<br/>
From there, the backdoor can be used to profile the victim and introduce additional payloads, which may include infostealers, ransomware, and other types of malware.<br/>
<br/>
Apart from the open-source tools mentioned above, BleepingComputer has also seen the same campaign targeting users looking for Hanwha security camera management software WisenetViewer.<br/>
<br/>
Cyjax’s researcher <a href="https://www.cyjax.com/resources/blog/a-sting-on-bing-bumblebee-delivered-through-bing-seo-poisoning-campaign/" target="_blank">Joe Wrieden also spotted</a> a trojanized version of the video management software Milestone XProtect being part of the same campaign, the malicious installers being delivered ‘milestonesys[.]org’ (online).<br/>
<br/>
<b><font color="White"><font size="4">Official RVTools still offline</font></font></b><br/>
<br/>
Both official RVTools domains - Robware.net and RVTools.com - are currently showing a warning for users not to download the software from unofficial sites but don't make available the download link themselves.<br/>
<br/>
Following allegations that the official RVTools site pushed a malware-laced installer, Dell Technologies <a href="https://www.bleepingcomputer.com/news/security/trojanized-rvtools-push-bumblebee-malware-in-seo-poisoning-campaign/" target="_blank">denied the accusation</a> saying that its sites did not distribute a trojanized variant of the product.<br/>
<br/>
Dell stated that the official RVTools sites were taken offline because they were being the targets of distributed denial-of-service (DDoS) attacks.<br/>
<br/>
One explanation for the attacks would be that the threat actor behind Bumblebee decided to take down the official download portals to drive to the malicious sites users searching for alternative sources for the tool.<br/>
<br/>
To mitigate the risk of installing trojanized versions of legitimate software, the best recommendation is to make sure to get it from official sources and package managers.<br/>
<br/>
It is also worth checking the downloaded<a href="https://www.virustotal.com/gui/file/0506126bcbc4641d41c138e88d9ea9f10fb65f1eeab3bff90a d25330108b324c" target="_blank"> installer's hash</a> with a known, clean version before running it.<br/>
<br/>
<a href="https://www.bleepingcomputer.com/news/security/bumblebee-malware-distributed-via-zenmap-winmrt-seo-poisoning/" target="_blank">@ BleepingComputer</a>
</div>