k7.2026.rvtools-signed-msi-python-rat
Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool
IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsfile
Signed fake RVTools MSI installer / d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi
file
Binary.MyScript.vbs embedded MSI custom action
url
Dropbox URL hosting winp.zip archive (exact URL not published)
file
winp.zip portable Python RAT bundle in %AppData%
file
Portable WinPython support layer / Pythonw.exe execution environment
file
collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A
file
%TEMP%\configA.json local reconnaissance staging file
file
Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362
ip
45.61.136.94
ip
64.95.12.238
ip
162.33.179.149
ip
64.95.13.76
ip
64.95.10.14
Relations
directed infrastructure edgese001dropse002
confirmed
e002downloade003
confirmed
e003downloade004
confirmed
e004dropse005
confirmed
e004dropse006
confirmed
e004dropse008
confirmed
e005executee006
confirmed
e006dropse007
confirmed
e005executee008
confirmed
e008referencese007
confirmed
e008connecte009
confirmed
e008connecte010
confirmed
e008connecte011
confirmed
e008connecte012
confirmed
e008connecte013
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
file | Signed fake RVTools MSI installer / d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi |
K7 states the campaign distributed a fake RVTools installer and that RVTools is attractive because VMware administrators often run it with high-level domain access. K7 says the MSI was digitally signed with a Sectigo certificate issued to Xiamen Lunwei Huage Network Co., Ltd., and that the certificate was valid at delivery time but later revoked. K7 IOC table lists d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi with detection Trojan (0001140e1). |
e002 |
file | Binary.MyScript.vbs embedded MSI custom action |
K7 states the malicious RVTools MSI deploys a malicious script embedded inside the installer Binary table under the name Binary.MyScript.vbs. K7 states the VBScript is obfuscated through decimal-to-character encoding and decodes a hidden PowerShell command. K7 IOC table lists Binary.MyScript.vbs with hash 01A115C6F6BA3837234202A1E0D28BDC. |
e003 |
url | Dropbox URL hosting winp.zip archive (exact URL not published) |
K7 states the decoded VBScript starts hidden PowerShell and uses Invoke-WebRequest to pull a malicious archive from a Dropbox URL. K7 states the archive is approximately 33 MB and is created as winp.zip in %AppData%. The exact Dropbox URL is not published by K7, so this node intentionally represents the confirmed trusted-site staging layer only. |
e004 |
file | winp.zip portable Python RAT bundle in %AppData% |
K7 states the hidden PowerShell creates the winp.zip payload in %AppData%. K7 describes the downloaded winp.zip archive as the malware operational core, bundling a portable development ecosystem with Python, VS Code, Spyder, Jupyter Lab, cmd, and PowerShell. K7 Fig2 shows the Dropbox URL leading to winp.zip in %appdata% and the archive dropping Python-related components and scripts. |
e005 |
file | Portable WinPython support layer / Pythonw.exe execution environment |
K7 states winp.zip includes a complete portable WinPython environment to make the RAT autonomous and avoid dependence on pre-existing victim dependencies. K7 Fig2 shows Pythonw.exe executing the Python modules after extraction. The support layer hides the malicious scripts among trusted development tools such as VS Code, Spyder, and Jupyter Lab. |
e006 |
file | collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A |
K7 states collector.py performs system and network exploration, gathering hostname, user privileges, Active Directory context, running processes, services, and active network connections. K7 states collector.py creates a persistent victim fingerprint by hashing the MAC address and hostname. K7 IOC table lists collector.py with hash 9192D18A955A9D03E2C70B60AAC1784A. |
e007 |
file | %TEMP%\configA.json local reconnaissance staging file |
K7 states collector.py writes collected host, system, network, process, and privilege information into configA.json in %TEMP%. K7 explains configA.json is not immediately sent by collector.py; Pmanager.py later retrieves, encrypts, compresses, and exfiltrates it. The file acts as local staging for data later sent to C2. |
e008 |
file | Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362 |
K7 describes Pmanager.py as the Persistence and Command & Control Manager responsible for keeping the malware alive, encrypting stolen data, and communicating with attacker infrastructure. K7 states Pmanager.py applies random salt, RC4 encryption, and zlib compression to outbound data and decrypts incoming C2 instructions. K7 states Pmanager.py beacons every 300 seconds and can receive operator commands including executable launch, PowerShell script execution, configuration changes, and self-termination. K7 IOC table lists Pmanager.py with hash 71085940124AD3C035A181ACADC10362. |
e009 |
ip | 45.61.136.94 |
K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized. K7 Fig15 lists 45.61.136.94 in the hardcoded C2 IP array. K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure. |
e010 |
ip | 64.95.12.238 |
K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized. K7 Fig15 lists 64.95.12.238 in the hardcoded C2 IP array. K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure. |
e011 |
ip | 162.33.179.149 |
K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized. K7 Fig15 lists 162.33.179.149 in the hardcoded C2 IP array. K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure. |
e012 |
ip | 64.95.13.76 |
K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized. K7 Fig15 lists 64.95.13.76 in the hardcoded C2 IP array. K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure. |
e013 |
ip | 64.95.10.14 |
K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized. K7 Fig15 lists 64.95.10.14 in the hardcoded C2 IP array. K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure. |
ATT&CK annotations
optional complementary mappingThe installer masquerades as RVTools and uses a legitimate-looking signed MSI/EULA workflow.
Binary.MyScript.vbs is embedded in the MSI Binary table and invoked as a custom action.
The VBScript launches hidden PowerShell and Invoke-WebRequest.
Hidden PowerShell downloads winp.zip from Dropbox.
collector.py collects host and environment details.
collector.py queries Active Directory computer-object count/context.
Pmanager.py creates a Registry Run entry for persistence.
Pmanager.py creates a scheduled task for persistence.
Pmanager.py sends encrypted/compressed data via HTTP POST to hardcoded C2 IPs.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "k7.2026.rvtools-signed-msi-python-rat",
"title": "Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool",
"description": "IIM chain for K7 Labs research published on 2026-05-28. The campaign masquerades as a signed RVTools installer for VMware administrators. The MSI contains an embedded VBScript custom action named Binary.MyScript.vbs, which decodes and launches hidden PowerShell. PowerShell downloads a roughly 33 MB archive from Dropbox, creates winp.zip in %AppData%, extracts a portable WinPython support layer, and launches collector.py and Pmanager.py with staged timing. collector.py fingerprints the host and Active Directory context into configA.json. Pmanager.py reads that local staging file, establishes persistence, encrypts and compresses outgoing data, and beacons every 300 seconds to a five-IP hardcoded C2 pool with automatic failover. The exact Dropbox URL was not published by K7, so the Dropbox node is modeled as a confirmed trusted-site staging class rather than an invented concrete URL.",
"actor_id": "unknown",
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_source": {
"title": "RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT",
"publisher": "K7 Labs",
"author": "Harsh Gupta",
"url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"published_at": "2026-05-28",
"accessed_at": "2026-05-30T00:00:00Z",
"source_type": "original vendor research report",
"source_policy": "Original K7 Labs source only. Secondary summaries were not used for chain content.",
"x_source_title": "Signed fake RVTools MSI to Dropbox-staged modular Python RAT and hardcoded IP C2 pool",
"x_source_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
},
"x_source_urls": [
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
],
"x_resource_links_verified": [
{
"url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"status": "opened via web retrieval",
"verified_at": "2026-05-30T00:00:00Z",
"notes": "Verified article title, publisher, publication date, MSI/VBScript/Dropbox/winp.zip execution flow, collector.py, Pmanager.py, C2 behavior, and IOC table."
},
{
"url": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png",
"status": "opened via web retrieval",
"verified_at": "2026-05-30T00:00:00Z",
"notes": "Verified execution-flow diagram showing RVTools.msi installer, Binary.MyScript.vbs, hidden PowerShell, Invoke-WebRequest, Dropbox URL, winp.zip in %appdata%, Pythonw.exe, collector.py, Pmanager.py, configA.json and C2 connection."
},
{
"url": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"status": "opened via web retrieval",
"verified_at": "2026-05-30T00:00:00Z",
"notes": "Verified Fig15 hardcoded IP list: 45.61.136.94, 64.95.12.238, 162.33.179.149, 64.95.13.76, 64.95.10.14."
}
],
"x_iocs": {
"sha256": [
"d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4"
],
"md5": [
"01A115C6F6BA3837234202A1E0D28BDC",
"71085940124AD3C035A181ACADC10362",
"9192D18A955A9D03E2C70B60AAC1784A"
],
"ips": [
"45.61.136.94",
"64.95.12.238",
"162.33.179.149",
"64.95.13.76",
"64.95.10.14"
],
"files": [
"RVTools.msi",
"Binary.MyScript.vbs",
"winp.zip",
"collector.py",
"Pmanager.py",
"configA.json"
]
},
"x_limitations": [
"K7 confirms a Dropbox URL was used to download the archive, but does not publish the exact Dropbox URL. The Dropbox entity therefore represents the confirmed trusted-site staging layer, not a fabricated URL.",
"K7 does not publish the original website, ad, email, referrer, or full distribution path used to get victims to execute the fake RVTools MSI. The entry is therefore modeled at the signed MSI level.",
"The five C2 IP addresses are extracted from K7 Fig15. The report describes them as a hardcoded C2 list used with automatic failover; it does not publish domain names for those IPs.",
"Host behavior such as Run keys, scheduled tasks, hidden PowerShell windows, RC4, zlib, and command execution is preserved as evidence and ATT&CK context, but only infrastructure-relevant elements are modeled as IIM nodes."
],
"entities": [
{
"id": "e001",
"type": "file",
"value": "Signed fake RVTools MSI installer / d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the campaign distributed a fake RVTools installer and that RVTools is attractive because VMware administrators often run it with high-level domain access.",
"K7 says the MSI was digitally signed with a Sectigo certificate issued to Xiamen Lunwei Huage Network Co., Ltd., and that the certificate was valid at delivery time but later revoked.",
"K7 IOC table lists d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4.msi with detection Trojan (0001140e1)."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_sha256": "d0f5e98fb840fb5656d3f50613b6f1ec60e57392643159841bc1fa95396087a4",
"x_codesigning_certificate": {
"issuer": "Sectigo",
"subject": "Xiamen Lunwei Huage Network Co., Ltd.",
"status_at_delivery": "valid according to K7",
"status_after_publication": "revoked according to K7"
},
"x_distribution_path_published": false,
"x_chain_stage": "initial_fake_installer"
},
{
"id": "e002",
"type": "file",
"value": "Binary.MyScript.vbs embedded MSI custom action",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the malicious RVTools MSI deploys a malicious script embedded inside the installer Binary table under the name Binary.MyScript.vbs.",
"K7 states the VBScript is obfuscated through decimal-to-character encoding and decodes a hidden PowerShell command.",
"K7 IOC table lists Binary.MyScript.vbs with hash 01A115C6F6BA3837234202A1E0D28BDC."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_md5": "01A115C6F6BA3837234202A1E0D28BDC",
"x_embedding_location": "MSI Binary table",
"x_chain_stage": "msi_custom_action_loader"
},
{
"id": "e003",
"type": "url",
"value": "Dropbox URL hosting winp.zip archive (exact URL not published)",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the decoded VBScript starts hidden PowerShell and uses Invoke-WebRequest to pull a malicious archive from a Dropbox URL.",
"K7 states the archive is approximately 33 MB and is created as winp.zip in %AppData%.",
"The exact Dropbox URL is not published by K7, so this node intentionally represents the confirmed trusted-site staging layer only."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_service": "Dropbox",
"x_exact_url_published": false,
"x_infrastructure_class": "living_off_trusted_site_file_hosting",
"x_chain_stage": "remote_archive_staging"
},
{
"id": "e004",
"type": "file",
"value": "winp.zip portable Python RAT bundle in %AppData%",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the hidden PowerShell creates the winp.zip payload in %AppData%.",
"K7 describes the downloaded winp.zip archive as the malware operational core, bundling a portable development ecosystem with Python, VS Code, Spyder, Jupyter Lab, cmd, and PowerShell.",
"K7 Fig2 shows the Dropbox URL leading to winp.zip in %appdata% and the archive dropping Python-related components and scripts."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_archive_container": true,
"x_approx_size": "~33 MB according to K7",
"x_chain_stage": "archive_container"
},
{
"id": "e005",
"type": "file",
"value": "Portable WinPython support layer / Pythonw.exe execution environment",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states winp.zip includes a complete portable WinPython environment to make the RAT autonomous and avoid dependence on pre-existing victim dependencies.",
"K7 Fig2 shows Pythonw.exe executing the Python modules after extraction.",
"The support layer hides the malicious scripts among trusted development tools such as VS Code, Spyder, and Jupyter Lab."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_chain_stage": "runtime_support_layer",
"x_contains": [
"Python",
"VS Code",
"Spyder",
"Jupyter Lab",
"cmd",
"PowerShell"
]
},
{
"id": "e006",
"type": "file",
"value": "collector.py reconnaissance module / 9192D18A955A9D03E2C70B60AAC1784A",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states collector.py performs system and network exploration, gathering hostname, user privileges, Active Directory context, running processes, services, and active network connections.",
"K7 states collector.py creates a persistent victim fingerprint by hashing the MAC address and hostname.",
"K7 IOC table lists collector.py with hash 9192D18A955A9D03E2C70B60AAC1784A."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_md5": "9192D18A955A9D03E2C70B60AAC1784A",
"x_chain_stage": "reconnaissance_module"
},
{
"id": "e007",
"type": "file",
"value": "%TEMP%\\configA.json local reconnaissance staging file",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states collector.py writes collected host, system, network, process, and privilege information into configA.json in %TEMP%.",
"K7 explains configA.json is not immediately sent by collector.py; Pmanager.py later retrieves, encrypts, compresses, and exfiltrates it.",
"The file acts as local staging for data later sent to C2."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_local_path": "%TEMP%\\configA.json",
"x_external_infrastructure": false,
"x_chain_stage": "local_data_staging"
},
{
"id": "e008",
"type": "file",
"value": "Pmanager.py persistence and C2 manager / 71085940124AD3C035A181ACADC10362",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 describes Pmanager.py as the Persistence and Command & Control Manager responsible for keeping the malware alive, encrypting stolen data, and communicating with attacker infrastructure.",
"K7 states Pmanager.py applies random salt, RC4 encryption, and zlib compression to outbound data and decrypts incoming C2 instructions.",
"K7 states Pmanager.py beacons every 300 seconds and can receive operator commands including executable launch, PowerShell script execution, configuration changes, and self-termination.",
"K7 IOC table lists Pmanager.py with hash 71085940124AD3C035A181ACADC10362."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_md5": "71085940124AD3C035A181ACADC10362",
"x_beacon_interval_seconds": 300,
"x_protocol": "HTTP POST according to K7 Fig14/text",
"x_outbound_processing": [
"random 16-byte salt",
"RC4 encryption",
"zlib compression"
],
"x_chain_stage": "c2_agent"
},
{
"id": "e009",
"type": "ip",
"value": "45.61.136.94",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized.",
"K7 Fig15 lists 45.61.136.94 in the hardcoded C2 IP array.",
"K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_c2_role": "hardcoded_ip_pool_member",
"x_failover_pool": true,
"x_reference_image": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"x_chain_stage": "c2"
},
{
"id": "e010",
"type": "ip",
"value": "64.95.12.238",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized.",
"K7 Fig15 lists 64.95.12.238 in the hardcoded C2 IP array.",
"K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_c2_role": "hardcoded_ip_pool_member",
"x_failover_pool": true,
"x_reference_image": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"x_chain_stage": "c2"
},
{
"id": "e011",
"type": "ip",
"value": "162.33.179.149",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized.",
"K7 Fig15 lists 162.33.179.149 in the hardcoded C2 IP array.",
"K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_c2_role": "hardcoded_ip_pool_member",
"x_failover_pool": true,
"x_reference_image": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"x_chain_stage": "c2"
},
{
"id": "e012",
"type": "ip",
"value": "64.95.13.76",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized.",
"K7 Fig15 lists 64.95.13.76 in the hardcoded C2 IP array.",
"K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_c2_role": "hardcoded_ip_pool_member",
"x_failover_pool": true,
"x_reference_image": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"x_chain_stage": "c2"
},
{
"id": "e013",
"type": "ip",
"value": "64.95.10.14",
"observed_at": "2026-05-28T00:00:00Z",
"source": "K7 Labs: RVTools Masquerade: How a Signed Fake Installer Deploys a Modular Python RAT (2026-05-28)",
"evidence": [
"K7 states the RAT maintains a list of five hardcoded IP addresses for C2 resilience and cycles through redundant servers if a connection is neutralized.",
"K7 Fig15 lists 64.95.10.14 in the hardcoded C2 IP array.",
"K7 states C2 communication uses encrypted payloads over HTTP POST and a 300-second heartbeat, with faster 10-second retry mode on connection failure."
],
"x_reference_url": "https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/",
"x_c2_role": "hardcoded_ip_pool_member",
"x_failover_pool": true,
"x_reference_image": "https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png",
"x_chain_stage": "c2"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Fake signed installer is the first public artifact modeled because K7 does not publish the preceding distribution URL or lure source."
},
{
"entity_id": "e002",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e003",
"role": "staging",
"techniques": [
"IIM-T006"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Dropbox is modeled as Living-off-Trusted-Sites; exact URL was not published."
},
{
"entity_id": "e004",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e005",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e006",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e007",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Local data-staging artifact; not external infrastructure, but retained because it is the handoff between collector.py and Pmanager.py."
},
{
"entity_id": "e008",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e009",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e010",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e011",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e012",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e013",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
}
],
"relations": [
{
"from": "e001",
"to": "e002",
"type": "drops",
"sequence_order": 1,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states the malicious MSI contains/deploys Binary.MyScript.vbs from the internal Binary table as a custom action.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e002",
"to": "e003",
"type": "download",
"sequence_order": 2,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states the decoded VBScript launches hidden PowerShell and Invoke-WebRequest to download a malicious archive from a Dropbox URL.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e003",
"to": "e004",
"type": "download",
"sequence_order": 3,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states the Dropbox-hosted archive is downloaded and created as winp.zip in %AppData%.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png"
]
},
{
"from": "e004",
"to": "e005",
"type": "drops",
"sequence_order": 4,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states winp.zip bundles a portable WinPython environment and development tools used as the malware operational core.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e004",
"to": "e006",
"type": "drops",
"sequence_order": 5,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states the archive hides collector.py within the portable Python/development-tool bundle.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e004",
"to": "e008",
"type": "drops",
"sequence_order": 6,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states the archive hides Pmanager.py within the portable Python/development-tool bundle.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e005",
"to": "e006",
"type": "execute",
"sequence_order": 7,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig2 shows Pythonw.exe executing collector.py after a five-second delay.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png"
]
},
{
"from": "e006",
"to": "e007",
"type": "drops",
"sequence_order": 8,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states collector.py writes collected reconnaissance output to %TEMP%\\configA.json.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e005",
"to": "e008",
"type": "execute",
"sequence_order": 9,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig2 shows Pythonw.exe executing Pmanager.py after a 30-second delay.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig2.png"
]
},
{
"from": "e008",
"to": "e007",
"type": "references",
"sequence_order": 10,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 states Pmanager.py retrieves configA.json, encrypts and compresses it, and posts it to attacker infrastructure.",
"https://labs.k7computing.com/index.php/rvtools-masquerade-how-a-signed-fake-installer-deploys-a-modular-python-rat/"
]
},
{
"from": "e008",
"to": "e009",
"type": "connect",
"sequence_order": 11,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig15 lists 45.61.136.94 as part of the hardcoded C2 IP list; K7 text describes HTTP POST C2 communication and failover cycling.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
]
},
{
"from": "e008",
"to": "e010",
"type": "connect",
"sequence_order": 12,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig15 lists 64.95.12.238 as part of the hardcoded C2 IP list; K7 text describes HTTP POST C2 communication and failover cycling.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
]
},
{
"from": "e008",
"to": "e011",
"type": "connect",
"sequence_order": 13,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig15 lists 162.33.179.149 as part of the hardcoded C2 IP list; K7 text describes HTTP POST C2 communication and failover cycling.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
]
},
{
"from": "e008",
"to": "e012",
"type": "connect",
"sequence_order": 14,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig15 lists 64.95.13.76 as part of the hardcoded C2 IP list; K7 text describes HTTP POST C2 communication and failover cycling.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
]
},
{
"from": "e008",
"to": "e013",
"type": "connect",
"sequence_order": 15,
"observed_at": "2026-05-28T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"K7 Fig15 lists 64.95.10.14 as part of the hardcoded C2 IP list; K7 text describes HTTP POST C2 communication and failover cycling.",
"https://labs.k7computing.com/wp-content/uploads/2026/05/Fig15.png"
]
}
],
"attack_annotations": [
{
"technique_id": "T1036",
"name": "Masquerading",
"tactic": "Defense Evasion",
"comment": "The installer masquerades as RVTools and uses a legitimate-looking signed MSI/EULA workflow."
},
{
"technique_id": "T1059.005",
"name": "Command and Scripting Interpreter: Visual Basic",
"tactic": "Execution",
"comment": "Binary.MyScript.vbs is embedded in the MSI Binary table and invoked as a custom action."
},
{
"technique_id": "T1059.001",
"name": "Command and Scripting Interpreter: PowerShell",
"tactic": "Execution",
"comment": "The VBScript launches hidden PowerShell and Invoke-WebRequest."
},
{
"technique_id": "T1105",
"name": "Ingress Tool Transfer",
"tactic": "Command and Control",
"comment": "Hidden PowerShell downloads winp.zip from Dropbox."
},
{
"technique_id": "T1082",
"name": "System Information Discovery",
"tactic": "Discovery",
"comment": "collector.py collects host and environment details."
},
{
"technique_id": "T1482",
"name": "Domain Trust Discovery",
"tactic": "Discovery",
"comment": "collector.py queries Active Directory computer-object count/context."
},
{
"technique_id": "T1547.001",
"name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder",
"tactic": "Persistence",
"comment": "Pmanager.py creates a Registry Run entry for persistence."
},
{
"technique_id": "T1053.005",
"name": "Scheduled Task/Job: Scheduled Task",
"tactic": "Persistence",
"comment": "Pmanager.py creates a scheduled task for persistence."
},
{
"technique_id": "T1071.001",
"name": "Application Layer Protocol: Web Protocols",
"tactic": "Command and Control",
"comment": "Pmanager.py sends encrypted/compressed data via HTTP POST to hardcoded C2 IPs."
}
]
}