Since our previous security bulletin, Arctic Wolf has observed malicious activities in the wild tied to suspected exploitation of CVE-2026-1731 of self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. We are sharing threat intelligence related to this activity to help defenders protect against this campaign.
CVE-2026-1731 allows unauthenticated remote threat actors to execute operating system commands in the context of the site user via specially crafted requests. BeyondTrust confirmed that cloud customers were patched automatically on February 2, 2026, requiring no further action, while self-hosted customers must manually apply the updates.
Arctic Wolf has Managed Detection and Response detections in place that apply to activities observed in this campaign, and will continue to notify customers when new instances of this threat are observed.
Technical Details
Arctic Wolf observed attempts to deploy the SimpleHelp RMM tool for persistence, along with discovery and lateral movement activities, detailed below. In each instance, Bomgar appliances were confirmed to be running versions of software affected by CVE-2026-1731.
Persistence
Renamed SimpleHelp binaries were created through Bomgar processes using the SYSTEM account. These executables were saved to the ProgramData root directory and executed from there. Binary names include remote access.exe and others. In each case, SimpleHelp binaries were identified in PE metadata with the following file description:
SimpleHelp Remote Access Client
In affected environments, domain accounts were created via the net user command, and were added to domain administrative groups via net group:
net user REDACTED_USERNAME REDACTED_PASSWORD /add /domain
net group \”enterprise admins\” REDACTED_USERNAME /add /domain
net group \”domain admins\” REDACTED_USERNAME /add /domain
Discovery
AdsiSearcher was used to obtain Active Directory computer inventory.
echo AD_Computers: ([adsiSearcher]\”(ObjectClass=computer)\”).FindAll().count
Additional discovery commands, such as the following, were executed via SimpleHelp processes:
net share
cmd.exe /c ipconfig /all
Systeminfo
cmd.exe /c ver
Lateral Movement
PSexec was used to execute SimpleHelp installation across multiple devices in affected environments. We also observed Impacket SMBv2 session setup requests early in affected environments.
Recommendation
Apply Fixes
Arctic Wolf strongly recommends that customers apply the fixes.
| Product | Affected Version | Fixed Version |
| Remote Support (RS) | 25.3.1 and prior | Patch BT26-02-RS (v21.3 – 25.3.1)) |
| Privileged Remote Access (PRA) | 24.3.4 and prior | Patch BT26-02-PRA (v22.1 – 24.X
· All PRA versions 25.1 and greater do not require patching for this vulnerability |
Note: Customers running self-hosted Remote Support (RS) versions older than 21.3 or Privileged Remote Access (PRA) versions older than 22.1 must upgrade to a newer version to apply this patch. BeyondTrust has applied the fix to all cloud RS and PRA instances as of February 2, 2026, requiring no further action from cloud customers.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
