Increased Bomgar RMM Exploitation Alert

Uptick in Bomgar RMM Exploitation

Published by Tr1sa111 on 2026-04-21T04:23:44.949Z

A new threat report from Huntress SOC highlights a recent surge in incidents exploiting a critical flaw in Bomgar remote monitoring and management (RMM) software, now known as BeyondTrust Remote Support. The vulnerability, CVE-2026-1731, allows unauthenticated attackers to execute code remotely. While patches were released in early February, attackers continue to target outdated installations, leading to ransomware deployment and lateral movement across downstream customers.

Acknowledgements

Special thanks to Olly Maxwell, Josh Kiriakoff, Jordan Sexton, Ryan Dowd, Jamie Dumas, Amelia Casley, Austin Worline, and Lindsey O’Donnell-Welch for their contributions to this research.

Key Takeaways

  • Multiple incidents since April 3, 2026, including ransomware attacks on dental software clients and a managed service provider that isolated 78 businesses.
  • Attackers used the LockBit 3.0 builder to deploy ransomware via the compromised Bomgar sessions.
  • Domain reconnaissance, creation of privileged accounts, and deployment of additional RMMs such as AnyDesk and Atera were common tactics.
  • The latest uptick follows the initial wave in February after the vulnerability was disclosed.

Tradecraft Details

Targeting Downstream Customers

On April 15, a managed service provider’s Bomgar account with high privileges was leveraged to compromise a domain controller. The actor created a local account, elevated it to Local Administrators and Domain Admins, and installed AnyDesk for remote persistence.

LockBit Ransomware Deployment

In several incidents, attackers added a user account (e.g., Adminpwd123.1) to administrative groups and ran the LockBit binary LB3.exe from the desktop or within system directories. The ransomware payloads were executed through the Bomgar session, encrypting files and dropping ransom notes that deviated from the classic LockBit style, suggesting use of a leaked builder.

Additional malicious actions included killing security tools via drivers such as PoisonX.sys and hrwfpdrv.sys, and abusing legitimate software HRSword.exe to bypass defenses.

Other Techniques

Attackers added the built‑in WDAGUtilityAccount to Administrator and Remote Desktop Users, set weak passwords, and ran network enumeration tools like NetScan. They also deployed Atera through msiexec.exe, creating scheduled tasks for persistence.

These activities were observed on April 3 when a Bomgar session executed Atera installer msiexec.exe /i C:\PerfLogs\setup.msi, followed by a scheduled task AteraAgentServiceWatchdog.

Ongoing Incidents and Mitigation Steps

Businesses with Bomgar should:

  1. Apply the CVE-2026-1731 patch (see BeyondTrust advisory at hxxps://www[.]beyondtrust[.]com/trust-center/security-advisories/bt26-02).
  2. Monitor for unauthorized additions to Local Administrators and Domain Admins.
  3. Audit active RMM tools using curated lists like LOLRMM.
  4. Inspect logs for unexpected RMM executions.
  5. Verify the software version on the Bomgar appliance status page.

Indicators of Compromise

IndicatorDescription
LB3.exeSHA256: 538b3b36dd8a30e721cc8dc579098e984cf8ed30b71d55303db45c7344f7a4cf (April 12 incident)
LB3.exeSHA256: 3529b1422da886b7d04555340dfb1efd44a625c2921af6df39819397176956d6 (April 14 incident)
Adminpwd123.1Password used by attacker in April 14 incident
123123qwEqwEPassword used by attacker in April 14 incident
InputUpdate.exeSHA256: bc9635dcc3444c18b447883c6bc1931e5373e48c7dbfaa607285a9fb668b03ea (March 11 incident)
146[.]70[.]41[.]131IP configured in March 11 SimpleHelp RMM
lokbt9@onionmail[.]orgEmail on ransom note in April 12 incident
HRSword.exeSHA256: b44dd12179a15a7d89c18444d36e8d70b51d30c7989d3ab71330061401f731fe (April 12 incident)
PoisonX.sysSHA256: a5035cbd6c31616288aa66d98e5a25441ee38651fb5f330676319f921bb816a4 (April 12 incident)
hrwfpdrv.sysDriver used by attacker in April 12 incident

Confidence level: 100% Reliability of the report: C – Fairly reliable

External references: hxxps://www[.]huntress[.]com/blog/uptick-bomgar-exploitation, hxxps://otx[.]alienvault[.]com/pulse/69e6fbd0d451998514707706

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading