Update: Bumblebee Malware Delivered Through RVTools in New Supply Chain Compromise
Hunter Strategy has previously reported on Bumblebee malware’s use in cyber campaigns; this latest event reveals a new delivery tactic exploiting a trusted IT utility. On May 13, 2025, RVTools—a widely trusted tool for VMware environment reporting—was briefly compromised to distribute the Bumblebee loader. The breach came to light when Microsoft Defender for Endpoint flagged suspicious activity during an installation attempt, identifying the execution of a version[.]dll file from within the installer's directory—an uncommon behavior for this utility. Security teams immediately investigated and discovered that the installer was tampered with: the file size was significantly larger than expected, and its hash did not match the known clean version from the official website. The malware’s metadata raised additional concerns, containing nonsensical or symbolic terms likely designed to distract from its malicious purpose. These findings confirm a targeted compromise of RVTools’ distribution channel and point to a deliberate effort to weaponize the tool for initial access in enterprise environments. In response, the RVTools website went offline briefly before returning with a corrected installer matching the official file hash, indicating the developers moved quickly to contain the breach. Meanwhile, the impacted organization conducted a full Defender scan on the affected system, which successfully quarantined the malicious file, and no lateral movement was detected. The security team also performed hash validation on previously downloaded versions across the network and found no other indicators of compromise. Internal threat intelligence teams shared relevant IOCs, and the software maintainer was alerted about the breach. This incident highlights the growing sophistication of supply chain attacks, where trusted tools are hijacked to silently deliver malware. It reinforces the need for strict file integrity verification, routine monitoring of executable behavior, and secure distribution practices, including HTTPS-only downloads and mandatory code signing. Organizations are strongly urged to validate any RVTools installers downloaded recently and monitor systems for any abnormal execution involving version[.]dll, which may signal an undetected compromise.
Defendnot Tool Exploits Windows API to Silently Disable Microsoft Defender
A new tool named Defendnot, developed by security researcher es3n1n, demonstrates a critical weakness in Windows' antivirus management by silently disabling Microsoft Defender through a legitimate, though undocumented, Windows Security Center (WSC) API. This API, intended for use by antivirus software to notify Windows of its presence and manage real-time protection, is being abused to register a fake AV product. Windows is designed to turn off Microsoft Defender when another antivirus product is registered, to prevent conflicts, but Defendnot exploits this exact behavior without needing an actual AV product. Instead, it tricks Windows into believing one is present. The method is fully compliant with the API’s checks, which means the fake antivirus registration appears valid to the system. This is not a crude hack—it’s a clean, effective bypass of Windows' default protection logic. Defendnot is a rework of a prior tool, no-defender, which spoofed antivirus registration using a third-party AV’s codebase. To avoid legal risks, Defendnot is built entirely from scratch, including a dummy antivirus DLL used for registration. The tool goes beyond simple disabling; it uses process injection to elevate its privileges and evade detection by Microsoft’s protections. Specifically, it injects its custom DLL into Taskmgr[.]exe, a signed system process that Windows already trusts. From inside this process, the tool registers a spoofed antivirus with a fake name. Once this fake AV is registered, Microsoft Defender disables itself instantly, believing that another security product has taken over protection duties. There’s no warning to the user, no visible error, and no prompt for reactivation. To maintain persistence, Defendnot schedules a task via Windows Task Scheduler that ensures it runs every time the user logs in. While es3n1n claims this is a research project, the impact is significant—this method can be used by threat actors to silently remove endpoint protection with almost no friction. Any Windows device that allows code execution with enough privileges to inject into a trusted process is vulnerable to this tactic. While currently there is no evidence of Defendnot being used in active campaigns, it offers a blueprint for attackers to silently cripple endpoint security—a major concern for both enterprises and individual users.
ModiLoader Campaign Unleashes SnakeKeylogger Through Obfuscated Phishing Attacks
A new malware campaign involving ModiLoader—also referred to as DBatLoader—is actively targeting Windows users through highly targeted phishing emails, with a specific focus on impersonating Turkish banking institutions. Hunter Strategy is monitoring this campaign closely due to its advanced infection chain and effective use of social engineering, and will provide reporting as new information emerges. The attack begins when a user receives a convincingly written email in Turkish, urging them to open an attached RAR file supposedly containing transaction records. Once opened, a batch script inside the archive initiates a multi-stage infection process that begins by decoding and deploying the DBatLoader binary (x[.]exe) in the system’s temporary directory. This loader proceeds to execute a series of heavily obfuscated BAT scripts that manipulate the system environment and mask the malware’s behavior. These scripts are used to create fake system paths, copy legitimate tools, and sideload malicious DLLs by disguising fake programs like svchost[.]pif to impersonate trusted processes (easinvoker[.]exe). Once embedded in the system, ModiLoader delivers its final payload: SnakeKeylogger, a NET-based information stealer designed to collect a wide range of sensitive data. This includes keystrokes, clipboard content, system details, and stored credentials—all of which can be exfiltrated through multiple channels, including FTP, SMTP, email, and Telegram. ASEC’s analysis of the malware reveals that it uses a hardcoded Telegram bot token to transmit stolen data directly to an attacker-controlled server, making interception and mitigation especially difficult. Users are vulnerable only if they open attachments from unfamiliar sources or if endpoint protections fail to detect the obfuscation and sideloading techniques. The campaign highlights an ongoing shift where malware authors increasingly rely on living-off-the-land binaries (LOLBins) and legitimate system tools to perform malicious actions under the radar.
