Campaigns
Uptick in Bomgar RMM Exploitation

Uptick in Bomgar RMM Exploitation

Uptick in Bomgar RMM ExploitationLockBit 3.0CVE-2026-1731RMM exploitationransomware deploymentdomain reconnaissancepersistence mechanismssupply chain attack
A surge in attacks leveraging compromised Bomgar Remote Monitoring and Management (RMM) instances to deploy ransomware, establish persistence, and conduct network reconnaissance. Threat actors exploit CVE-2026-1731 to gain initial access, then pivot to downstream customers, particularly Managed Service Providers (MSPs), for mass compromise

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION
DETECTION

DET-002

Unauthorized Domain Admin Account Creation via Bomgar

T1136.002 — Create Account: Domain Account

DET0003

Windows Event Log (4720, 4728) · Command Execution · Active Directory Logs

net user /add /domain or net group "Domain Admins" /add executed under SYSTEM context via bomgar-scc.exe parent

DET-003

BYOVD Driver Load — Known Malicious Drivers

T1562.001 — Impair Defenses: Disable or Modify Tools

DET0497

Kernel Driver Load Events · Sysmon EID 6 · EDR Telemetry

PoisonX.sys or hrwfpdrv.sys loaded; abrupt termination of AV/EDR processes following driver load

DET-004

Unauthorized RMM Deployment (AnyDesk / Atera / SimpleHelp)

T1133 — External Remote Services · T1036.005 — Masquerading: Match Legitimate Name

DET0354 · DET0127

Process Creation · File Monitoring · Network Connection Logs

RMM binary (AnyDesk.exe, atera_agent.exe) launched via Bomgar; renamed SimpleHelp PE with mismatched metadata dropped to C:\ProgramData\

DET-005

AteraAge Scheduled Task Creation

T1053.005 — Scheduled Task/Job: Scheduled Task

DET0441

Windows Event Log (4698) · Task Scheduler Logs · Sysmon EID 11

Scheduled task named AteraAge created outside approved IT management process; task executable path points to non-standard Atera binary location

Observed Countries1

US (918)