Note: Darktrace's Threat Research team is publishing now to help defenders. We will update continue updating this blog as our investigations unfold.
Background
On February 6, 2026, the Identity & Access Management solution BeyondTrust announced patches for a vulnerability, CVE-2026-1731, which enables unauthenticated remote code execution using specially crafted requests. This vulnerability affects BeyondTrust Remote Support (RS) and particular older versions of Privileged Remote Access (PRA) [1].
A Proof of Concept (PoC) exploit for this vulnerability was released publicly on February 10, and open-source intelligence (OSINT) reported exploitation attempts within 24 hours [2].
Previous intrusions against Beyond Trust technology have been cited as being affiliated with nation-state attacks, including a 2024 breach targeting the U.S. Treasury Department. This incident led to subsequent emergency directives from the Cybersecurity and Infrastructure Security Agency (CISA) and later showed attackers had chained previously unknown vulnerabilities to achieve their goals [3].
Additionally, there appears to be infrastructure overlap with React2Shell mass exploitation previously observed by Darktrace, with command-and-control (C2) domain avg.domaininfo[.]top seen in potential post-exploitation activity for BeyondTrust, as well as in a React2Shell exploitation case involving possible EtherRAT deployment.
Darktrace Detections
Darktrace’s Threat Research team has identified highly anomalous activity across several customers that may relate to exploitation of BeyondTrust since February 10, 2026. Observed activities include:
- Outbound connections and DNS requests for endpoints associated with Out-of-Band Application Security Testing; these services are commonly abused by threat actors for exploit validation. Associated Darktrace models include:
o Compromise / Possible Tunnelling to Bin Services
- Suspicious executable file downloads. Associated Darktrace models include:
o Anomalous File / EXE from Rare External Location
- Outbound beaconing to rare domains. Associated Darktrace models include:
o Compromise / Agent Beacon (Medium Period)
o Compromise / Agent Beacon (Long Period)
o Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
o Compromise / Beacon to Young Endpoint
o Anomalous Server Activity / Rare External from Server
o Compromise / SSL Beaconing to Rare Destination
- Unusual cryptocurrency mining activity. Associated Darktrace models include:
o Compromise / Monero Mining
o Compromise / High Priority Crypto Currency Mining
And model alerts for:
o Compromise / Rare Domain Pointing to Internal IP
IT Defenders: As part of best practices, we highly recommend employing an automated containment solution in your environment. For Darktrace customers, please ensure that Autonomous Response is configured correctly. More guidance regarding this activity and suggested actions can be found in the Darktrace Customer Portal.
Appendices
Potential indicators of post-exploitation behavior:
· 217.76.57[.]78 – IP address - Likely C2 server
· hXXp://217.76.57[.]78:8009/index.js - URL - Likely payload
· b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7 - SHA1 - Likely payload
· 195.154.119[.]194 – IP address – Likely C2 server
· hXXp://195.154.119[.]194/index.js - URL – Likely payload
· avg.domaininfo[.]top – Hostname – Likely C2 server
· 104.234.174[.]5 – IP address - Possible C2 server
· 35da45aeca4701764eb49185b11ef23432f7162a – SHA1 – Possible payload
· hXXp://134.122.13[.]34:8979/c - URL – Possible payload
· 134.122.13[.]34 – IP address – Possible C2 server
· 28df16894a6732919c650cc5a3de94e434a81d80 - SHA1 - Possible payload
References:
1. https://nvd.nist.gov/vuln/detail/CVE-2026-1731
