13 Feb 2026 Note: Darktrace's Threat Research team is publishing now to help defenders. We will update continue updating this blog as our investigations unfold. Background On February 6, 2026, the Identity & Access Management solution BeyondTrust announced patches for a vulnerability, CVE-2026-1731, which enables unauthenticated remote code execution using specially crafted requests. This vulnerability affects BeyondTrust Remote Support (RS) and particular older versions of Privileged Remote Access (PRA) [1]. A Proof of Concept (PoC) exploit for this vulnerability was released publicly on February 10, and open-source intelligence (OSINT) reported exploitation attempts within 24 hours [2]. Previous intrusions against Beyond Trust technology have been cited as being affiliated with nation-state attacks, including a 2024 breach targeting the U.S. Treasury Department. This incident led to subsequent emergency directives from the Cybersecurity and Infrastructure Security Agency (CISA) and later showed attackers had chained previously unknown vulnerabilities to achieve their goals [3]. Additionally, there appears to be infrastructure overlap with React2Shell mass exploitation previously observed by Darktrace, with command-and-control (C2) domain avg.domaininfo[.]top seen in potential post-exploitation activity for BeyondTrust, as well as in a React2Shell exploitation case involving possible EtherRAT deployment. Darktrace Detections Darktrace’s Threat Research team has identified highly anomalous activity across several customers that may relate to exploitation of BeyondTrust since February 10, 2026. Observed activities include: - Outbound connections and DNS requests for endpoints associated with Out-of-Band Application Security Testing; these services are commonly abused by threat actors for exploit validation. Associated Darktrace models include: o Compromise / Possible Tunnelling to Bin Services ‍ - Suspicious executable file downloads. Associated Darktrace models include: o Anomalous File / EXE from Rare External Location ‍ - Outbound beaconing to rare domains. Associated Darktrace models include: o Compromise / Agent Beacon (Medium Period) o Compromise / Agent Beacon (Long Period) o Compromise / Sustained TCP Beaconing Activity To Rare Endpoint o Compromise / Beacon to Young Endpoint o Anomalous Server Activity / Rare External from Server o Compromise / SSL Beaconing to Rare Destination ‍ - Unusual cryptocurrency mining activity. Associated Darktrace models include: o Compromise / Monero Mining o Compromise / High Priority Crypto Currency Mining ‍ ‍ And model alerts for: o Compromise / Rare Domain Pointing to Internal IP ‍ ‍ IT Defenders: As part of best practices, we highly recommend employing an automated containment solution in your environment. For Darktrace customers, please ensure that Autonomous Response is configured correctly. More guidance regarding this activity and suggested actions can be found in the Darktrace Customer Portal . ‍ Appendices Potential indicators of post-exploitation behavior: · 217.76.57[.]78 – IP address - Likely C2 server · hXXp://217.76.57[.]78:8009/index.js - URL - Likely payload · b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7 - SHA1 - Likely payload · 195.154.119[.]194 – IP address – Likely C2 server · hXXp://195.154.119[.]194/index.js - URL – Likely payload · avg.domaininfo[.]top – Hostname – Likely C2 server · 104.234.174[.]5 – IP address - Possible C2 server · 35da45aeca4701764eb49185b11ef23432f7162a – SHA1 – Possible payload · hXXp://134.122.13[.]34:8979/c - URL – Possible payload · 134.122.13[.]34 – IP address – Possible C2 server · 28df16894a6732919c650cc5a3de94e434a81d80 - SHA1 - Possible payload References: 1. https://nvd.nist.gov/vuln/detail/CVE-2026-1731 2. https://www.securityweek.com/beyondtrust-vulnerability-targeted-by-hackers-within-24-hours-of-poc-release/ 3. https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/ ‍ Written by Emma Foulger Global Threat Research Operations Lead Written by Nathaniel Jones VP, Security & AI Strategy, Field CISO Watch the NIS2 Webinar Trending blogs Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD Nov 19, 2025 How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC May 8, 2024 Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks Jun 21, 2024 The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners Apr 9, 2024 The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions May 13, 2024 More in this series No items found. Why AI is essential to modern security As attackers use automation and AI to outpace traditional tools and people, our approach to cybersecurity must fundamentally change. That’s why one of my first priorities as Withum's CIO was to elevate cybersecurity from a technical funct