Skip to content
.ca
sign in
6 mincritical

Threat Advisory: Uptick in Bomgar RMM Exploitation

Huntress has observed an uptick in threat actors exploiting CVE-2026-1731 in outdated Bomgar RMM instances to compromise organizations and their downstream clients. Attackers utilize this access to establish persistence via secondary RMM tools, evade defenses using BYOVD techniques, and ultimately deploy LockBit ransomware.

Sens:ImmediateConf:highAnalyzed:2026-04-21reports

Authors: Olly Maxwell, Josh Kiriakoff, Jordan Sexton, Ryan Dowd, Jamie Dumas, Amelia Casley, Austin Worline, Lindsey O'Donnell-Welch

ActorsLockBit 3.0
BomgarBYOVDCVE-2026-1731LockBitRMM

Source:Huntress

IOCs · 5

Key Takeaways

  • Threat actors are actively exploiting CVE-2026-1731 in outdated Bomgar (BeyondTrust) RMM instances to gain initial access.
  • Attackers are targeting MSPs and software vendors to compromise downstream customers and deploy LockBit ransomware.
  • Persistence is established by creating local/domain admin accounts and deploying secondary RMM tools like AnyDesk, Atera, and ScreenConnect.
  • Defense evasion tactics include using BYOVD tools (PoisonX.sys) and HRSword to terminate EDR agents.

Affected Systems

  • Bomgar / BeyondTrust Remote Support (versions 25.3.1 and prior)
  • Bomgar / BeyondTrust Privileged Remote Access (versions 24.3.4 and prior)

Vulnerabilities (CVEs)

  • CVE-2026-1731

Attack Chain

Threat actors exploit CVE-2026-1731 in outdated Bomgar RMM instances to gain initial access, often targeting MSPs to reach downstream clients. Once inside, they perform network reconnaissance using tools like NetScan and nltest.exe. Persistence is established by creating or modifying local and domain administrator accounts, and by deploying secondary RMM tools such as AnyDesk, Atera, and ScreenConnect. The attackers then evade defenses using BYOVD techniques (PoisonX.sys) and HRSword before finally deploying LockBit ransomware (LB3.exe) to encrypt the network.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide explicit detection rules, but outlines behavioral indicators, file paths, and process ancestry patterns suitable for threat hunting.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can easily monitor process ancestry (e.g., bomgar-scc.exe spawning cmd.exe or net.exe), driver loads (BYOVD), and the execution of known ransomware binaries. Network Visibility: Medium — Network visibility can detect secondary RMM tool traffic (AnyDesk, Atera) and C2 communications, though initial exploitation occurs over the legitimate Bomgar channel. Detection Difficulty: Moderate — While the ransomware and BYOVD tools are easily detected, the initial access and persistence via legitimate RMM tools blend in with normal administrative activity, requiring behavioral correlation.

Required Log Sources

  • Windows Security Event Log (Event ID 4720, 4728, 4732)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 6 (Driver Loaded)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for bomgar-scc.exe spawning suspicious child processes like cmd.exe, net.exe, or msiexec.exe.Process Creation (Sysmon Event ID 1 / EDR telemetry)ExecutionLow to Medium (Bomgar may occasionally run scripts, but spawning net.exe to add admins is highly suspicious)
Identify the creation of new local or domain administrator accounts occurring shortly after an active Bomgar session.Windows Security Event Logs (4720, 4728, 4732)PersistenceMedium (Legitimate admins may create accounts, but correlation with Bomgar activity narrows it down)
Detect the installation or execution of secondary RMM tools (AnyDesk, Atera, ScreenConnect) from unusual directories like C:\PerfLogs.Process Creation, File CreationPersistenceLow (Legitimate RMMs are rarely installed from PerfLogs)

Control Gaps

  • Lack of strict application control allowing unauthorized RMMs
  • Insufficient monitoring of built-in accounts like WDAGUtilityAccount

Key Behavioral Indicators

  • bomgar-scc.exe spawning net.exe
  • msiexec.exe running from C:\PerfLogs\
  • Unexpected driver loads in C:\temp\

False Positive Assessment

  • Medium. Legitimate administrative actions via Bomgar (like running scripts or installing software) may trigger behavioral alerts, requiring baseline comparisons.

Recommendations

Immediate Mitigation

  • Apply patches for CVE-2026-1731 (Remote Support 25.3.2+, Privileged Remote Access 25.1+).
  • Isolate compromised Bomgar instances and affected downstream environments.

Infrastructure Hardening

  • Audit and restrict the use of RMM tools using application control.
  • Monitor and restrict modifications to Local Administrators and Domain Administrators groups.

User Protection

  • Deploy EDR to monitor for BYOVD techniques and unauthorized driver loads.
  • Reset passwords for any compromised accounts, including built-in accounts like WDAGUtilityAccount.

Security Awareness

  • Train SOC analysts to recognize the abuse of legitimate RMM tools (LOLRMM) as persistence mechanisms.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1078.001 - Valid Accounts: Default Accounts
  • T1078.002 - Valid Accounts: Domain Accounts
  • T1078.003 - Valid Accounts: Local Accounts
  • T1136.001 - Create Account: Local Account
  • T1136.002 - Create Account: Domain Account
  • T1098 - Account Manipulation
  • T1219 - Remote Access Software
  • T1562.001 - Impair Defenses: Disable or Modify Tools
  • T1069.001 - Permission Groups Discovery: Local Groups
  • T1069.002 - Permission Groups Discovery: Domain Groups
  • T1486 - Data Encrypted for Impact

Additional IOCs

  • Ips:
    • 146[.]70[.]41[[.]]131 - IP configured for SimpleHelp RMM
  • File Hashes:
    • 538b3b36dd8a30e721cc8dc579098e984cf8ed30b71d55303db45c7344f7a4cf (SHA256) - LB3.exe
    • 3529b1422da886b7d04555340dfb1efd44a625c2921af6df39819397176956d6 (SHA256) - LB3.exe
    • bc9635dcc3444c18b447883c6bc1931e5373e48c7dbfaa607285a9fb668b03ea (SHA256) - InputUpdate.exe
    • b44dd12179a15a7d89c18444d36e8d70b51d30c7989d3ab71330061401f731fe (SHA256) - HRSword.exe
    • a5035cbd6c31616288aa66d98e5a25441ee38651fb5f330676319f921bb816a4 (SHA256) - PoisonX.sys
  • File Paths:
    • C:\Users\support\Documents\AnyDesk.exe - Path used to drop AnyDesk for persistence
    • C:\Program Files (x86)\ScreenConnect Client (0a42c9161c039ecc)\ - Path associated with ScreenConnect persistence
    • C:\Windows\System32\drivers\hrwfpdrv.sys - Suspicious driver dropped for defense evasion
    • C:\temp\PoisonX.sys - BYOVD driver dropped for defense evasion
    • C:\Program Files (x86)\AnyDesk - Installation directory for AnyDesk
    • C:\PerfLogs\setup.msi - Atera RMM installer dropped in PerfLogs
    • c:\PerfLogs\InputUpdate.exe - Renamed SimpleHelp RMM dropped in PerfLogs
  • Command Lines:
    • Purpose: Create new local user account | Tools: net.exe | Stage: Persistence | net user
    • Purpose: Add user to local administrators group | Tools: net.exe, net1.exe | Stage: Privilege Escalation | net localgroup administrators
    • Purpose: Add user to domain admins group | Tools: net.exe | Stage: Privilege Escalation | net group "domain admins"
    • Purpose: Install secondary RMM tool (AnyDesk) | Tools: anydesk.exe | Stage: Persistence | anydesk.exe --install
    • Purpose: Execute MSI installer from suspicious directory | Tools: msiexec.exe | Stage: Execution | msiexec.exe /i C:\PerfLogs\
  • Other:
    • Adminpwd123.1 - Password used by attacker for created accounts
    • 123123qwEqwE - Password used by attacker for WDAGUtilityAccount
    • lokbt9@onionmail[.]org - Email address found in LockBit ransom note
    • WDAGUtilityAccount - Built-in account compromised and added to Admin/RDP groups
    • AteraAgentServiceWatchdog - Scheduled task created for Atera persistence
    • bomgar-scc.exe - Legitimate Bomgar process abused to spawn malicious child processes

Related