Threat Advisory: Attackers Intensify Bomgar RMM Exploitation
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Huntress reported a rise in attacks abusing compromised Bomgar remote monitoring and management instances following public disclosure of CVE-2026-1731. Threat actors used the flaw to execute code remotely, create high-privilege accounts, and deploy additional remote access software and ransomware. In several cases, the activity led to the deployment of LockBit ransomware, along with tools such as AnyDesk and Atera. The campaign affected both direct Bomgar customers and the downstream organizations they support.
Investigation
The Huntress SOC tracked multiple incidents between February and April 2026 and identified malicious activity tied to bomgar-scc.exe, with attackers using hijacked RMM sessions to launch tools including NetScan, HRSword, and custom drivers. The intruders created new local and domain administrator accounts, installed secondary RMM agents, and executed the LockBit ransomware payload LB3.exe. Investigators also found signs of leaked LockBit 3.0 builder usage and bring-your-own-vulnerable-driver techniques within affected environments.
Mitigation
Organizations should apply the official BeyondTrust Remote Support patches that address CVE-2026-1731 and upgrade affected systems to version 25.3.2 or later. Security teams should also monitor for unexpected privileged account creation, execution of unauthorized RMM tools, suspicious scheduled tasks, and unusual driver installations. Strong access controls and tighter oversight of RMM platforms are essential to reduce the risk of similar compromise.
Response
If this activity is detected, isolate the impacted systems immediately, revoke any compromised Bomgar credentials, and remove unauthorized remote management tools from the environment. Incident responders should then perform forensic analysis to identify ransomware payloads, persistence mechanisms, and any lateral movement. Recovery efforts should rely on clean backups, while downstream customers should be notified promptly so coordinated remediation and hardening can begin.
Attack Flow
Detections
Add User to Local Administrators (via cmdline)
View
Suspicious Execution from PerfLogs Directory (via process_creation)
View
Alternative Remote Access / Management Software (via process_creation)
View
Alternative Remote Access / Management Software (via system)
View
Alternative Remote Access / Management Software (via audit)
View
IOCs (HashSha256) to detect: Threat Advisory: Uptick in Bomgar RMM Exploitation
View
IOCs (SourceIP) to detect: Threat Advisory: Uptick in Bomgar RMM Exploitation
View
IOCs (DestinationIP) to detect: Threat Advisory: Uptick in Bomgar RMM Exploitation
View
Detect User Addition to Admin Groups via Bomgar Exploitation [Microsoft Windows Security Event Log]
View
Detection of Malicious Processes in Compromised Bomgar RMM Instances [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Initial foothold: The attacker uses a compromised Bomgar session to open a remote command prompt on the target machine.
- Credential preparation: The attacker knows the victim’s domain admin password fragment
Adminpwd123.1and a stolen service token123123qwEqwE. - Privilege escalation: To blend with legitimate activity, the attacker invokes the native
net.exebinary, embedding the two fragments in the command line (the fragments are not required for thenetoperation but will satisfy the rule’s string match). - Group addition: The attacker adds a newly created user
eviladminto both the local Administrators group and the Domain Admins group.
The exact command line executed on the compromised host is:
cmd /c "net localgroup administrators eviladmin /add && echo 123123qwEqwE && echo Adminpwd123.1"A similar command is run for the domain group:
cmd /c "net group "Domain Admins" eviladmin /add && echo 123123qwEqwE && echo Adminpwd123.1" -
Regression Test Script:
#========================================================================= # Bomgar‑exploitation group‑addition test – triggers Sigma rule a1672291‑... #========================================================================= $user = "eviladmin" $pwdFragment = "123123qwEqwE" $adminPwdFragment = "Adminpwd123.1" # Add to Local Administrators (net.exe) $localCmd = "net localgroup administrators $user /add && echo $pwdFragment && echo $adminPwdFragment" Write-Host "Executing local admin addition..." cmd.exe /c $localCmd # Add to Domain Admins (net.exe) – assumes machine is domain‑joined $domainCmd = "net group `"Domain Admins`" $user /add && echo $pwdFragment && echo $adminPwdFragment" Write-Host "Executing domain admin addition..." cmd.exe /c $domainCmd -
Cleanup Commands:
# Remove the test user from privileged groups $user = "eviladmin" # Local Administrators cleanup cmd.exe /c "net localgroup administrators $user /delete" # Domain Admins cleanup (requires domain rights) cmd.exe /c "net group `"Domain Admins`" $user /delete"