A new exploitation wave targeting BeyondTrust products emerged after the vulnerability CVE-2026-1731 was disclosed, with patches for BeyondTrust Remote Support and older Privileged Remote Access versions released on 6 February 2026. A Proof of Concept exploit was made public on 10 February, and OSINT reported exploitation attempts within 24 hours.
Darktrace’s threat research notes highly anomalous activity across several customer environments from 10 February 2026 that may relate to BeyondTrust exploitation, including outbound connections and DNS requests, suspicious executable downloads, and various beaconing patterns, alongside indicators of crypto-mining activity.
The analysis also points to potential post-exploitation activity such as domain pointing to internal IPs and rare external domains, and it references a prior link to React2Shell in its backdrop of exploitation activity. The report highlights a campaign that generated a small amount of Monero but demonstrates that AI-assisted tooling can produce functional exploitation frameworks and enable rapid compromise across many hosts, underscoring the need for rapid patching and robust behavioural detection.
It notes that one observed intrusion involved a Docker-centric scenario where a dedicated spreading tool appeared to be deployed separately by the attacker.