Malicious RVTools Installer Uses Sectigo Cert to Evade SmartScreen

A malicious RVTools MSI, fraudulently code‑signed with a Sectigo certificate, installs a multi‑stage Python RAT via an embedded VBScript that downloads a WinPython archive (winp.zip) from Dropbox; the payload (collector.py and Pmanager.py) performs host and Active Directory fingerprinting, stores staged data in %TEMP%\configA.json, establishes persistence (HKCU Run and scheduled task), encrypts/compresses exfiltration with RC4+zlib, and beacons to hardcoded C2 addresses — the report includes behavioral detection guidance and IoCs (file hashes).