Threat Advisory: Attackers Intensify Bomgar RMM Exploitation

SOC Prime Team

Threat Advisory: Attackers Intensify Bomgar RMM Exploitation

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Huntress reported a rise in attacks abusing compromised Bomgar remote monitoring and management instances following public disclosure of CVE-2026-1731. Threat actors used the flaw to execute code remotely, create high-privilege accounts, and deploy additional remote access software and ransomware. In several cases, the activity led to the deployment of LockBit ransomware, along with tools such as AnyDesk and Atera. The campaign affected both direct Bomgar customers and the downstream organizations they support.

Investigation

The Huntress SOC tracked multiple incidents between February and April 2026 and identified malicious activity tied to bomgar-scc.exe, with attackers using hijacked RMM sessions to launch tools including NetScan, HRSword, and custom drivers. The intruders created new local and domain administrator accounts, installed secondary RMM agents, and executed the LockBit ransomware payload LB3.exe. Investigators also found signs of leaked LockBit 3.0 builder usage and bring-your-own-vulnerable-driver techniques within affected environments.

Mitigation

Organizations should apply the official BeyondTrust Remote Support patches that address CVE-2026-1731 and upgrade affected systems to version 25.3.2 or later. Security teams should also monitor for unexpected privileged account creation, execution of unauthorized RMM tools, suspicious scheduled tasks, and unusual driver installations. Strong access controls and tighter oversight of RMM platforms are essential to reduce the risk of similar compromise.

Response

If this activity is detected, isolate the impacted systems immediately, revoke any compromised Bomgar credentials, and remove unauthorized remote management tools from the environment. Incident responders should then perform forensic analysis to identify ransomware payloads, persistence mechanisms, and any lateral movement. Recovery efforts should rely on clean backups, while downstream customers should be notified promptly so coordinated remediation and hardening can begin.

graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef driver fill:#ffddaa classDef account fill:#ccccff classDef system fill:#dddddd %% Nodes – Initial Access initial_access[“Initial Access – T1210 Exploitation of Remote Services Unauthenticated vulnerability CVE‑2026‑1731 in Bomgar (BeyondTrust Remote Support) enables code execution.”]:::action tool_bomgar[“Tool – Name: Bomgar Remote Support Vulnerability: CVE‑2026‑1731”]:::tool %% Nodes – Execution execution_proxy[“Execution – T1218 System Binary Proxy Execution Signed binary HRSword.exe used as proxy to launch malicious payload LB3.exe.”]:::action execution_script[“Execution – T1216 System Script Proxy Execution”]:::action tool_hrsword[“Tool – Name: HRSword.exe Signed: Yes (code‑signing subversion)”]:::tool malware_lb3[“Malware – Name: LB3.exe (LockBit variant) Purpose: Ransomware encryption”]:::malware subvert_trust[“Sub‑technique – T1553.002 Code Signing Valid signatures leveraged to subvert trust controls.”]:::action masquerade[“Sub‑technique – T1036.001 Invalid Code Signature Masquerading Binary appears legitimate despite malicious intent.”]:::action trusted_proxy[“Sub‑technique – T1127 Trusted Developer Utilities Proxy Execution Drivers act as proxy for malicious code.”]:::action device_discovery[“Sub‑technique – T1652 Device Driver Discovery Identify loaded drivers on the system.”]:::action %% Nodes – Persistence & Account Creation persistence_local_account[“Persistence – T1136.001 Create Account: Local Local account \”Adminpwd123.1\” created.”]:::action persistence_domain_account[“Persistence – T1136.002 Create Account: Domain Domain account \”123123qwEqwE\” created.”]:::action valid_account_local[“Valid Accounts – T1078.003 Local Accounts”]:::account valid_account_domain[“Valid Accounts – T1078.002 Domain Accounts”]:::account account_manipulation[“Privilege Escalation – T1098.007 Additional Local or Domain Groups Accounts added to Administrators and Domain Admins groups.”]:::action %% Nodes – Defense Evasion defense_impair[“Defense Evasion – T1562 Impair Defenses Malicious drivers installed to terminate EDR solutions.”]:::action driver_poisonx[“Driver – Name: PoisonX.sys Function: Disables security monitoring.”]:::driver driver_hrwfpdrv[“Driver – Name: hrwfpdrv.sys Function: Disables security monitoring.”]:::driver %% Nodes – Lateral Movement lateral_ssh[“Lateral Movement – T1021.004 Remote Services: SSH Compromised Bomgar shell (SYSTEM) used to run commands on additional hosts.”]:::action remote_services[“Lateral Movement – T1021 Remote Services”]:::action tool_anydesk[“Tool – Name: AnyDesk”]:::tool tool_atera[“Tool – Name: Atera Installation: msiexec C:\\PerfLogs\\setup.msi, scheduled task AteraAgentServiceWatchdog”]:::tool tool_screenconnect[“Tool – Name: ScreenConnect Client Path: C:\\Program Files (x86)\\ScreenConnect Client”]:::tool %% Nodes – Discovery discovery_groups[“Discovery – T1069.002 Permission Groups Discovery: Domain Groups Enumerate domain groups and memberships.”]:::action discovery_network[“Discovery – T1590 Gather Victim Network Information NetScan and nltest.exe used for network enumeration.”]:::action %% Nodes – Impact impact_encryption[“Impact – T1486 Data Encrypted for Impact LockBit encrypts files on compromised endpoints.”]:::action impact_financial[“Impact – T1657 Financial Theft Ransom note with onionmail address provided for payment.”]:::action %% Connections – Attack Flow initial_access –>|exploits| tool_bomgar tool_bomgar –>|provides access to| execution_proxy execution_proxy –>|uses| tool_hrsword tool_hrsword –>|launches| malware_lb3 malware_lb3 –>|performs| impact_encryption execution_proxy –>|subverts trust via| subvert_trust execution_proxy –>|masquerades as| masquerade execution_proxy –>|leverages| trusted_proxy subvert_trust –>|enables creation of| persistence_local_account subvert_trust –>|enables creation of| persistence_domain_account persistence_local_account –>|creates| valid_account_local persistence_domain_account –>|creates| valid_account_domain valid_account_local –>|added to| account_manipulation valid_account_domain –>|added to| account_manipulation account_manipulation –>|grants| lateral_ssh defense_impair –>|installs| driver_poisonx defense_impair –>|installs| driver_hrwfpdrv driver_poisonx –>|disables| tool_anydesk driver_hrwfpdrv –>|disables| tool_atera lateral_ssh –>|uses| remote_services remote_services –>|deploys| tool_anydesk remote_services –>|deploys| tool_atera remote_services –>|deploys| tool_screenconnect discovery_groups –>|feeds information to| lateral_ssh discovery_network –>|feeds information to| lateral_ssh impact_encryption –>|leads to| impact_financial

Attack Flow

Attack Narrative & Commands:
1. Initial foothold: The attacker uses a compromised Bomgar session to open a remote command prompt on the target machine.
2. Credential preparation: The attacker knows the victim’s domain admin password fragment Adminpwd123.1 and a stolen service token 123123qwEqwE.
3. Privilege escalation: To blend with legitimate activity, the attacker invokes the native net.exe binary, embedding the two fragments in the command line (the fragments are not required for the net operation but will satisfy the rule’s string match).
4. Group addition: The attacker adds a newly created user eviladmin to both the local Administrators group and the Domain Admins group.
The exact command line executed on the compromised host is:
```
cmd /c "net localgroup administrators eviladmin /add && echo 123123qwEqwE && echo Adminpwd123.1"
```
A similar command is run for the domain group:
```
cmd /c "net group "Domain Admins" eviladmin /add && echo 123123qwEqwE && echo Adminpwd123.1"
```

Regression Test Script:

#=========================================================================
# Bomgar‑exploitation group‑addition test – triggers Sigma rule a1672291‑...
#=========================================================================
$user = "eviladmin"
$pwdFragment = "123123qwEqwE"
$adminPwdFragment = "Adminpwd123.1"

# Add to Local Administrators (net.exe)
$localCmd = "net localgroup administrators $user /add && echo $pwdFragment && echo $adminPwdFragment"
Write-Host "Executing local admin addition..."
cmd.exe /c $localCmd

# Add to Domain Admins (net.exe) – assumes machine is domain‑joined
$domainCmd = "net group `"Domain Admins`" $user /add && echo $pwdFragment && echo $adminPwdFragment"
Write-Host "Executing domain admin addition..."
cmd.exe /c $domainCmd

Cleanup Commands:

# Remove the test user from privileged groups
$user = "eviladmin"

# Local Administrators cleanup
cmd.exe /c "net localgroup administrators $user /delete"

# Domain Admins cleanup (requires domain rights)
cmd.exe /c "net group `"Domain Admins`" $user /delete"

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free