Uptick in Bomgar RMM Exploitation
Published by Tr1sa111 on 2026-04-21T04:23:44.949Z
A new threat report from Huntress SOC highlights a recent surge in incidents exploiting a critical flaw in Bomgar remote monitoring and management (RMM) software, now known as BeyondTrust Remote Support. The vulnerability, CVE-2026-1731, allows unauthenticated attackers to execute code remotely. While patches were released in early February, attackers continue to target outdated installations, leading to ransomware deployment and lateral movement across downstream customers.
Acknowledgements
Special thanks to Olly Maxwell, Josh Kiriakoff, Jordan Sexton, Ryan Dowd, Jamie Dumas, Amelia Casley, Austin Worline, and Lindsey O’Donnell-Welch for their contributions to this research.
Key Takeaways
- Multiple incidents since April 3, 2026, including ransomware attacks on dental software clients and a managed service provider that isolated 78 businesses.
- Attackers used the LockBit 3.0 builder to deploy ransomware via the compromised Bomgar sessions.
- Domain reconnaissance, creation of privileged accounts, and deployment of additional RMMs such as AnyDesk and Atera were common tactics.
- The latest uptick follows the initial wave in February after the vulnerability was disclosed.
Tradecraft Details
Targeting Downstream Customers
On April 15, a managed service provider’s Bomgar account with high privileges was leveraged to compromise a domain controller. The actor created a local account, elevated it to Local Administrators and Domain Admins, and installed AnyDesk for remote persistence.
LockBit Ransomware Deployment
In several incidents, attackers added a user account (e.g., Adminpwd123.1) to administrative groups and ran the LockBit binary LB3.exe from the desktop or within system directories. The ransomware payloads were executed through the Bomgar session, encrypting files and dropping ransom notes that deviated from the classic LockBit style, suggesting use of a leaked builder.
Additional malicious actions included killing security tools via drivers such as PoisonX.sys and hrwfpdrv.sys, and abusing legitimate software HRSword.exe to bypass defenses.
Other Techniques
Attackers added the built‑in WDAGUtilityAccount to Administrator and Remote Desktop Users, set weak passwords, and ran network enumeration tools like NetScan. They also deployed Atera through msiexec.exe, creating scheduled tasks for persistence.
These activities were observed on April 3 when a Bomgar session executed Atera installer msiexec.exe /i C:\PerfLogs\setup.msi, followed by a scheduled task AteraAgentServiceWatchdog.
Ongoing Incidents and Mitigation Steps
Businesses with Bomgar should:
- Apply the CVE-2026-1731 patch (see BeyondTrust advisory at hxxps://www[.]beyondtrust[.]com/trust-center/security-advisories/bt26-02).
- Monitor for unauthorized additions to Local Administrators and Domain Admins.
- Audit active RMM tools using curated lists like LOLRMM.
- Inspect logs for unexpected RMM executions.
- Verify the software version on the Bomgar appliance status page.
Indicators of Compromise
| Indicator | Description |
|---|---|
| LB3.exe | SHA256: 538b3b36dd8a30e721cc8dc579098e984cf8ed30b71d55303db45c7344f7a4cf (April 12 incident) |
| LB3.exe | SHA256: 3529b1422da886b7d04555340dfb1efd44a625c2921af6df39819397176956d6 (April 14 incident) |
| Adminpwd123.1 | Password used by attacker in April 14 incident |
| 123123qwEqwE | Password used by attacker in April 14 incident |
| InputUpdate.exe | SHA256: bc9635dcc3444c18b447883c6bc1931e5373e48c7dbfaa607285a9fb668b03ea (March 11 incident) |
| 146[.]70[.]41[.]131 | IP configured in March 11 SimpleHelp RMM |
| lokbt9@onionmail[.]org | Email on ransom note in April 12 incident |
| HRSword.exe | SHA256: b44dd12179a15a7d89c18444d36e8d70b51d30c7989d3ab71330061401f731fe (April 12 incident) |
| PoisonX.sys | SHA256: a5035cbd6c31616288aa66d98e5a25441ee38651fb5f330676319f921bb816a4 (April 12 incident) |
| hrwfpdrv.sys | Driver used by attacker in April 12 incident |
Confidence level: 100% Reliability of the report: C – Fairly reliable
External references: hxxps://www[.]huntress[.]com/blog/uptick-bomgar-exploitation, hxxps://otx[.]alienvault[.]com/pulse/69e6fbd0d451998514707706

