TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Uptick in Bomgar RMM Exploitation

2026-04-17 · Read original ↗

ATT&CK techniques detected

18 predictions
T1190Exploit Public-Facing Application
99%
"uptick in bomgar rmm exploitation acknowledgments : special thanks to olly maxwell, josh kiriakoff, jordan sexton, ryan dowd, jamie dumas, amelia casley, austin worline, and lindsey o ' donnell - welch for their contributions to this research and blog. over the past two weeks, th…"
T1486Data Encrypted for Impact
99%
", starting around april 3, the soc saw another increase in attacks. currently, we do not have further insight into the specific root cause behind these attacks, but the incidents likely stem from the exploitation of cve - 2026 - 1731. we see malicious processes stemming from bomg…"
T1219Remote Access Tools
97%
"creating a persistent backdoor with domain - wide control. the intrusion did not stop at privilege escalation. with administrative control in place, the actor deployed additional remote access tools including anydesk ( c : \ users \ support \ documents \ anydesk. exe ). lockbit r…"
T1080Taint Shared Content
94%
", starting around april 3, the soc saw another increase in attacks. currently, we do not have further insight into the specific root cause behind these attacks, but the incidents likely stem from the exploitation of cve - 2026 - 1731. we see malicious processes stemming from bomg…"
T1219Remote Access Tools
94%
"this specific rmm, leading to the access of partner environments. here are a few ways that businesses can protect themselves, particularly if they already have bomgar in their environments : - make sure that you have applied the patches for cve - 2026 - 1731 ( check out beyondtru…"
T1219Remote Access Tools
88%
"actors have also used their access via bomgar to conduct domain reconnaissance, perform network enumeration via netscan, add administrator users for persistence, and execute further rmms like anydesk and atera. - this most recent uptick in bomgar - related incidents follows an in…"
T1219Remote Access Tools
79%
"( version 21. 1. 3 ). these clues led the soc to suspect that the attackers in this particular incident were exploiting bomgar ’ s existing vulnerability, which has been patched since february in version 25. 3. 2 of bomgar / remote support ( versions 25. 3. 1 and prior are impact…"
T1219Remote Access Tools
78%
"to the local administrators group and domain admins group. finally, they installed anydesk as seen in the following command line : anydesk. exe - - install " c : \ program files ( x86 ) \ anydesk " figure 4 : a comparison of some of the recent incidents involving bomgar the soc h…"
T1486Data Encrypted for Impact
78%
"##x. sys ) may be linked to poisonkiller, a bring your own vulnerable driver ( byovd ) tool designed to terminate edr agents ( the tool was likely listed on github at the beginning of april, but has since been removed ). the soc also observed the actor using hrsword. exe, which i…"
T1486Data Encrypted for Impact
76%
"creating a persistent backdoor with domain - wide control. the intrusion did not stop at privilege escalation. with administrative control in place, the actor deployed additional remote access tools including anydesk ( c : \ users \ support \ documents \ anydesk. exe ). lockbit r…"
T1190Exploit Public-Facing Application
69%
"( version 21. 1. 3 ). these clues led the soc to suspect that the attackers in this particular incident were exploiting bomgar ’ s existing vulnerability, which has been patched since february in version 25. 3. 2 of bomgar / remote support ( versions 25. 3. 1 and prior are impact…"
T1136.001Local Account
63%
"the ransom note appears to be different, but one possibility is that the threat group behind this incident was using the lockbit builder that had previously been leaked in 2022. figure 3 : an excerpt from the ransom note other ttps we observed several other tactics across attacks…"
T1543.003Windows Service
61%
"##x. sys ) may be linked to poisonkiller, a bring your own vulnerable driver ( byovd ) tool designed to terminate edr agents ( the tool was likely listed on github at the beginning of april, but has since been removed ). the soc also observed the actor using hrsword. exe, which i…"
T1195.002Compromise Software Supply Chain
57%
", starting around april 3, the soc saw another increase in attacks. currently, we do not have further insight into the specific root cause behind these attacks, but the incidents likely stem from the exploitation of cve - 2026 - 1731. we see malicious processes stemming from bomg…"
T1136Create Account
54%
"the ransom note appears to be different, but one possibility is that the threat group behind this incident was using the lockbit builder that had previously been leaked in 2022. figure 3 : an excerpt from the ransom note other ttps we observed several other tactics across attacks…"
T1078.003Local Accounts
48%
"the ransom note appears to be different, but one possibility is that the threat group behind this incident was using the lockbit builder that had previously been leaked in 2022. figure 3 : an excerpt from the ransom note other ttps we observed several other tactics across attacks…"
T1068Exploitation for Privilege Escalation
38%
"##x. sys ) may be linked to poisonkiller, a bring your own vulnerable driver ( byovd ) tool designed to terminate edr agents ( the tool was likely listed on github at the beginning of april, but has since been removed ). the soc also observed the actor using hrsword. exe, which i…"
T1652Device Driver Discovery
32%
"##x. sys ) may be linked to poisonkiller, a bring your own vulnerable driver ( byovd ) tool designed to terminate edr agents ( the tool was likely listed on github at the beginning of april, but has since been removed ). the soc also observed the actor using hrsword. exe, which i…"

Summary

The Huntress SOC has seen a recent uptick in incidents involving compromised Bomgar remote monitoring and management (RMM) instances.