Blog
/
OT
/
February 9, 2022

The Impact of Conti Ransomware on OT Systems

Learn how ransomware can spread throughout converged IT/OT environments, and how Self-Learning AI empowers organizations to contain these threats.
Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
09
Feb 2022

Ransomware has taken the world by storm, and IT is not the only technology affected. Operational Technology (OT), which is increasingly blending with IT, is also susceptible to ransomware tactics, techniques, and procedures (TTPs). And when ransomware strikes OT, the effects have the potential to be devastating.

Here, we will look at a ransomware attack that spread from IT to OT systems. The attack was detected by Darktrace AI.

This threat find demonstrates a use case of Darktrace’s technology that delivers immense value to organizations with OT: spotting and stopping ransomware at its earliest stages, before the damage is done. This is particularly helpful for organizations with interconnected enterprise and industrial environments, as it means:

  1. Emerging attacks can be contained in IT before they spread laterally into OT, and even before they spread from device to device in IT;
  2. Organizations gain granular visibility into their industrial environments, detecting deviations from normal activity, and quick identification of remediating actions.

Threat find: Ransomware and crypto-mining hijack affecting IT and OT systems

Darktrace recently identified an aggressive attack targeting an OT R&D investment firm in EMEA. The attack originally started as a crypto-mining campaign and later evolved into ransomware. This organization deployed Darktrace in a digital estate containing both IT and OT assets that spanned over 3,000 devices.

If the organization had deployed Darktrace’s Autonomous Response technology in active mode, this threat would have been stopped in its earliest stages. Even in the absence of Autonomous Response, however, mere human attention would have stopped this attack’s progression. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware. In this case, however, the security team was not monitoring Darktrace’s interface, and so the attack was allowed to proceed.

Compromised OT devices

This threat find will focus on the attack techniques used to take over two OT devices, specifically, a HMI (human machine interface), and an ICS Historian used to collect and log industrial data. These OT devices were both VMware virtual machines running Windows OS, and were compromised as part of a wider Conti ransomware infection. Both devices were being used primarily within an industrial control system (ICS), running a popular ICS software package and making regular connections to an industrial cloud platform.

These devices were thus part of an ICSaaS (ICS-as-a-Service) environment, using virtualised and Cloud platforms to run analytics, update threat intelligence, and control the industrial process. As previously highlighted by Darktrace, the convergence of cloud and ICS increases a network’s attack surface and amplifies cyber risk.

Attack lifecycle

Opening stages

The initial infection of the OT devices occurred when a compromised Domain Controller (DC) made unusual Active Directory requests. The devices made subsequent DCE-RPC binds for epmapper, often used by attackers for command execution, and lsarpc, used by attackers to abuse authentication policies and escalate privileges.

The payload was delivered when the OT devices used SMB to connect to the sysvol folder on the DC and read a malicious executable file, called SetupPrep.exe.

Figure 1: Darktrace model breaches across the whole network from initial infection on October 21 to the detonation on November 15.

Figure 2: ICS reads on the HMI in the lead up, during, and following detonation of the ransomware.

Device encryption and lateral spread

The malicious payload remained dormant on the OT devices for three weeks. It seems the attacker used the time to install crypto-mining malware elsewhere on the network and consolidate their foothold.

On the day the ransomware detonated, the attacker used remote management tools to initiate encryption. The PSEXEC tool was used on an infected server (separate from the original DC) to remotely execute malicious .dll files on the compromised OT devices.

The devices then attempted to make command and control (C2) connections to rare external endpoints using suspicious ports. Like in many ICS networks, sufficient network segregation had been implemented to prevent the HMI device from making successful connections to the Internet and the C2 communications failed. But worryingly, the failed C2 did not prevent the attack from proceeding or the ransomware from detonating.

The Historian device made successful C2 connections to around 40 unique external endpoints. Darktrace detected beaconing-type behavior over suspicious TCP/SSL ports including 465, 995, 2078, and 2222. The connections were made to rare destination IP addresses that did not specify the Server Name Indication (SNI) extension hostname and used self-signed and/or expired SSL certificates.

Both devices enumerated network SMB shares and wrote suspicious shell scripts to network servers. Finally, the devices used SMB to encrypt files stored in network shares, adding a file extension which is likely to be unique to this victim and which will be called ABCXX for the purpose of this blog. Most encrypted files were uploaded to the folder in which the file was originally located, but in some instances were moved to the images folder.

During the encryption, the device was using the machine account to authenticate SMB sessions. This is in contrast to other ransomware incidents that Darktrace has observed, in which admin or service accounts are compromised and abused by the attacker. It is possible that in this instance the attacker was able to use ‘Living off the Land’ techniques (for example the use of lsarpc pipe) to give the machine account admin privileges.

Examples of files being encrypted and moved:

  • SMB move success
  • File: new\spbr0007\0000006A.bak
  • Renamed: new\spbr0007\0000006A.bak.ABCXX
  • SMB move success
  • File: ActiveMQ\readme.txt
  • Renamed: Images\10j0076kS1UA8U975GC2e6IY.488431411265952821382.png.ABCXX

Detonation of ransomware

Upon detonation, the ransomware note readme.txt was written by the ICS to targeted devices as part of the encryption activity.

The final model breached by the device was “Unresponsive ICS Device” as the device either stopped working due to the effects of the ransomware, or was removed from the network.

Figure 3: abc-histdev — external connections filtered on destination port 995 shows C2 connections starting around one hour before encryption began.

How the attack bypassed the rest of the security stack

In this threat find, there were a number of factors which resulted in the OT devices becoming compromised.

The first is IT/OT convergence. The ICS network was insufficiently segregated from the corporate network. This means that devices could be accessed by the compromised DC during the lateral movement stage of the attack. As OT becomes more reliant on IT, ensuring sufficient segregation is in place, or that an attacker can not circumvent such segregation, is becoming an ever increasing challenge for security teams.

Another reason is that the attacker used attack methods which leverage Living off the Land techniques to compromise devices with no discrimination as to whether they were part of an IT or OT network. Many of the machines used to operate ICS networks, including the devices highlighted here, rely on operating systems vulnerable to the kinds of TTPs observed here and that are regularly employed by ransomware groups.

Darktrace insights

Darktrace’s Cyber AI Analyst was able to stitch together many disparate forms of unusual activity across the compromised devices to give a clear security narrative containing details of the attack. The incident report for the Historian server is shown below. This provides a clear illustration of how Cyber AI Analyst can close any skills or communication gap between IT and OT specialists.

Figure 4: Cyber AI Analyst of the Historian server (abc-histdev). It investigated and reported the C2 communication (step 2) that started just before network reconnaissance using TCP scanning (step 3) and the subsequent file encryption over SMB (step 4).

In total, the attacker’s dwell time within the digital estate was 25 days. Unfortunately, it lead to disruption to operational technology, file encryption and financial loss. Altogether, 36 devices were crypto-mining for over 20 days – followed by nearly 100 devices (IT and OT) becoming encrypted following the detonation of the ransomware.

If it were active, Autonomous Response would have neutralized this activity, containing the damage before it could escalate into crisis. Darktrace’s Self-Learning AI gave clear indications of an ongoing compromise in the month prior to the detonation of ransomware, and so any degree of human attention toward Darktrace’s revelations would have stopped the attack.

Autonomous Response is highly configurable, and so, in industrial environments — whether air-gapped OT or converged IT/OT ecosystems — Antigena can be deployed in a variety of manners. In human confirmation mode, human operators need to give the green light before the AI takes action. Antigena can also be deployed only in the higher levels of the Purdue model, or the “IT in OT,” protecting the core assets from fast-moving attacks like ransomware.

Ransomware and interconnected IT/OT systems

ICS networks are often operated by machines that rely on operating systems which can be affected by TTPs regularly employed by ransomware groups — that is, TTPs such as Living off the Land, which do not discriminate between IT and OT.

The threat that ransomware poses to organizations with OT, including critical infrastructure, is so severe that the Cyber Infrastructure and Security Agency (CISA) released a fact sheet concerning these threats in the summer of 2021, noting the risk that IT attacks pose to OT networks:

“OT components are often connected to information technology (IT) networks, providing a path for cyber actors to pivot from IT to OT networks… As demonstrated by recent cyber incidents, intrusions affecting IT networks can also affect critical operational processes even if the intrusion does not directly impact an OT network.”

Major ransomware attacks against the Colonial Pipeline and JBS Foods demonstrate the potential for ransomware affecting OT to cause severe economic disruption on a national and international scale. And ransomware can wreak havoc on OT systems regardless of whether they directly target OT systems.

As industrial environments continue to converge and evolve — be they IT/OT, ICSaaS, or simply poorly segregated legacy systems — Darktrace stands ready to contain attacks before the damage is done. It is time for organizations with industrial environments to take the quantum leap forward that Darktrace’s Self-Learning AI is uniquely positioned to provide.

Thanks to Darktrace analysts Ash Brice and Andras Balogh for their insights on the above threat find.

Discover more on how Darktrace protects OT environments from ransomware

Darktrace model detections

HMI in chronological order at time of detonation:

  • Anomalous Connection / SMB Enumeration
  • Anomalous File / Internal / Unusual SMB Script Write
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • ICS / Unusual Data Transfer By OT Device
  • ICS / Unusual Unresponsive ICS Device

Historian

  • ICS / Rare External from OT Device
  • Anomalous Connection / Anomalous SSL without SNI to New External
  • Anomalous Connection / Multiple Connections to New External TCP Port
  • ICS / Unusual Activity From OT Device
  • Anomalous Connection / SMB Enumeration
  • Anomalous Connection / Suspicious Activity On High Risk Device
  • Unusual Activity / SMB Access Failures
  • Device / Large Number of Model Breaches
  • ICS / Unusual Data Transfer By OT Device
  • Anomalous File / Internal / Additional Extension Appended to SMB File
  • Device / SMB Lateral Movement
  • Compromise / Ransomware / Suspicious SMB Activity [Enhanced Monitoring]
  • Device / Multiple Lateral Movement Model Breaches [Enhanced Monitoring]

Written by
Oakley Cox
Director of Product
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Oakley Cox
Director of Product

Inside Cloud Compromise: Investigating Attacker Activity with Darktrace / Forensic Acquisition & Investigation

March 4, 2026
Nathaniel Bill
Malware Research Engineer
Watch the NIS2 Webinar
Trending blogs
1
Securing Generative AI: Managing Risk in Amazon Bedrock with Darktrace / CLOUD
Nov 19, 2025
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
Continue reading
OT
November 20, 2025

Managing OT Remote Access with Zero Trust Control & AI Driven Detection

A forward-looking breakdown of why modern OT environments can’t rely on visibility alone, and how combining Zero Trust access control with AI-driven behavioral detection gives industrial organizations real-time oversight, accountability, and secure remote access without disrupting operations.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 30, 2025

Redefining OT security with dedicated OT workflows & NEXT-gen visibility for industrial teams

The latest release of Darktrace / OT brings powerful new innovations to security teams defending industrial infrastructure. With a dedicated OT dashboard, segmentation-aware risk modeling, and expanded visibility into edge assets and automation protocols, Darktrace / OT empowers engineers and defenders with the context and control they need to protect today’s converged environments, from IT to the industrial edge.
Pallavi Singh
Product Marketing Manager, OT Security & Compliance
Read more
OT
September 4, 2025

Rethinking Signature-Based Detection for Power Utility Cybersecurity

Signature-based detection has been a mainstay of IT security for decades, but the unique realities of operational technology (OT) environments make it a poor return on investment for power utilities. While signatures can still provide value for commodity IT malware, they fail against insider misuse, zero-day exploits, and custom-built malware designed for grid operations. Historical evidence shows signatures rarely generalize across different utilities, and overreliance creates strategic blind spots. To effectively defend critical energy infrastructure, utilities should prioritize behavioral analytics, anomaly detection, and intelligence sharing across the community.
Daniel Simonds
Director of Operational Technology
Read more

Blog

/

/

March 5, 2026

Inside Cloud Compromise: Investigating Attacker Activity with Darktrace / Forensic Acquisition & Investigation

Forensic Acquisition and investigationDefault blog imageDefault blog image

Investigating cloud attacks with Darktrace/ Forensic Acquisition & Investigation

Darktrace / Forensic Acquisition & Investigation™ is the industry’s first truly automated forensic solution purpose-built for the cloud. This blog will demonstrate how an investigation can be carried out against a compromised cloud server in minutes, rather than hours or days.

The compromised server investigated in this case originates from Darktrace’s Cloudypots system, a global honeypot network designed to observe adversary activity in real time across a wide range of cloud services. Whenever an attacker successfully compromises one of these honeypots, a forensic copy of the virtual server's disk is preserved for later analysis. Using Forensic Acquisition & Investigation, analysts can then investigate further and obtain detailed insights into the compromise including complete attacker timelines and root cause analysis.

Forensic Acquisition & Investigation supports importing artifacts from a variety of sources, including EC2 instances, ECS, S3 buckets, and more. The Cloudypots system produces a raw disk image whenever an attack is detected and stores it in an S3 bucket. This allows the image to be directly imported into Forensic Acquisition & Investigation using the S3 bucket import option.

As Forensic Acquisition & Investigation runs cloud-natively, no additional configuration is required to add a specific S3 bucket. Analysts can browse and acquire forensic assets from any bucket that the configured IAM role is permitted to access. Operators can also add additional IAM credentials, including those from other cloud providers, to extend access across multiple cloud accounts and environments.

Figure 1: Forensic Acquisition & Investigation import screen.

Forensic Acquisition & Investigation then retrieves a copy of the file and automatically begins running the analysis pipeline on the artifact. This pipeline performs a full forensic analysis of the disk and builds a timeline of the activity that took place on the compromised asset. By leveraging Forensic Acquisition & Investigation’s cloud-native analysis system, this process condenses hour of manual work into just minutes.

Successful import of a forensic artifact and initiation of the analysis pipeline.
Figure 2: Successful import of a forensic artifact and initiation of the analysis pipeline.

Once processing is complete, the preserved artifact is visible in the Evidence tab, along with a summary of key information obtained during analysis, such as the compromised asset’s hostname, operating system, cloud provider, and key event count.

The Evidence overview showing the acquired disk image.
Figure 3: The Evidence overview showing the acquired disk image.

Clicking on the “Key events” field in the listing opens the timeline view, automatically filtered to show system- generated alarms.

The timeline provides a chronological record of every event that occurred on the system, derived from multiple sources, including:

  • Parsed log files such as the systemd journal, audit logs, application specific logs, and others.
  • Parsed history files such as .bash_history, allowing executed commands to be shown on the timeline.
  • File-specific events, such as files being created, accessed, modified, or executables being run, etc.

This approach allows timestamped information and events from multiple sources to be aggregated and parsed into a single, concise view, greatly simplifying the data review process.

Alarms are created for specific timeline events that match either a built-in system rule, curated by Darktrace’s Threat Research team or an operator-defined rule  created at the project level. These alarms help quickly filter out noise and highlight on events of interest, such as the creation of a file containing known malware, access to sensitive files like Amazon Web Service (AWS) credentials, suspicious arguments or commands, and more.

The timeline view filtered to alarm_severity: “1” OR alarm_severity: “3”, showing only events that matched an alarm rule.
Figure 4: The timeline view filtered to alarm_severity: “1” OR alarm_severity: “3”, showing only events that matched an alarm rule.

In this case, several alarms were generated for suspicious Base64 arguments being passed to Selenium. Examining the event data, it appears the attacker spawned a Selenium Grid session with the following payload:

"request.payload": "[Capabilities {browserName: chrome, goog:chromeOptions: {args: [-cimport base64;exec(base64...], binary: /usr/bin/python3, extensions: []}, pageLoadStrategy: normal}]"

This is a common attack vector for Selenium Grid. The chromeOptions object is intended to specify arguments for how Google Chrome should be launched; however, in this case the attacker has abused the binary field to execute the Python3 binary instead of Chrome. Combined with the option to specify command-line arguments, the attacker can use Python3’s -c option to execute arbitrary Python code, in this instance, decoding and executing a Base64 payload.

Selenium’s logs truncate the Arguments field automatically, so an alternate method is required to retrieve the full payload. To do this, the search bar can be used to find all events that occurred around the same time as this flagged event.

Pivoting off the previous event by filtering the timeline to events within the same window using timestamp: [“2026-02-18T09:09:00Z” TO “2026-02-18T09:12:00Z”].
Figure 5: Pivoting off the previous event by filtering the timeline to events within the same window using timestamp: [“2026-02-18T09:09:00Z” TO “2026-02-18T09:12:00Z”].

Scrolling through the search results, an entry from Java’s systemd journal can be identified. This log contains the full, unaltered payload. GCHQ’s CyberChef can then be used to decode the Base64 data into the attacker’s script, which will ultimately be executed.

Decoding the attacker’s payload in CyberChef.
Figure 6: Decoding the attacker’s payload in CyberChef.

In this instance, the malware was identified as a variant of a campaign that has been previously documented in depth by Darktrace.

Investigating Perfctl Malware

This campaign deploys a malware sample known as ‘perfctl to the compromised host. The script executed by the attacker downloads a Go binary named “promocioni.php” from 200[.]4.115.1. Its functionality is consistent with previously documented perfctl samples, with only minor changes such as updated filenames and a new command-and-control (C2) domain.

Perfctl is a stealthy malware that has several systems designed  to evade detection. The main binary is packed with UPX, with the header intentionally tampered with to prevent unpacking using regular tools. The binary also avoids executing any malicious code if it detects debugging or tracing activity, or if artifacts left by earlier stages are missing.

To further aid its evasive capabilities, perfctl features a usermode rootkit using an LD preload. This causes dynamically linked executables to load perfctl’s rootkit payload before other system modules, allowing it to override functions, such as intercepting calls to list files and hiding output from the returned list. Perfctl uses this to hide its own files, as well as other files like the ld.so.preload file, preventing users from identifying that a rootkit is present in the first place.

This also makes it difficult to dynamically analyze, as even analysts aware of the rootkit will struggle to get around it due to its aggressiveness in hiding its components. A useful trick is to use the busybox-static utilities, which are statically linked and therefore immune to LD preloading.

Perfctl will attempt to use sudo to escalate its permissions to root if the user it was executed as has the required privileges. Failing this, it will attempt to exploit the vulnerability CVE-2021-4034.

Ultimately, perfctl will attempt to establish a C2 link via Tor and spawn an XMRig miner to mine the Monero cryptocurrency. The traffic to the mining pool is encapsulated within Tor to limit network detection of the mining traffic.

Darktrace’s Cloudypots system has observed 1,959 infections of the perfctl campaign across its honeypot network in the past year, making it one of the most aggressive campaigns seen by Darktrace.

Key takeaways

This blog has shown how Darktrace / Forensic Acquisition & Investigation equips defenders in the face of a real-world attacker campaign. By using this solution, organizations can acquire forensic evidence and investigate intrusions across multiple cloud resources and providers, enabling defenders to see the full picture of an intrusion on day one. Forensic Acquisition & Investigation’s patented data-processing system takes advantage of the cloud’s scale to rapidly process large amounts of data, allowing triage to take minutes, not hours.

Darktrace / Forensic Acquisition & Investigation is available as Software-as-a-Service (SaaS) but can also be deployed on-premises as a virtual application or natively in the cloud, providing flexibility between convenience and data sovereignty to suit any use case.

Support for acquiring traditional compute instances like EC2, as well as more exotic and newly targeted platforms such as ECS and Lambda, ensures that attacks taking advantage of Living-off-the-Cloud (LOTC) strategies can be triaged quickly and easily as part of incident response. As attackers continue to develop new techniques, the ability to investigate how they use cloud services to persist and pivot throughout an environment is just as important to triage as a single compromised EC2 instance.

Credit to Nathaniel Bill (Malware Research Engineer)

Continue reading
About the author
Nathaniel Bill
Malware Research Engineer

Blog

/

Network

/

February 19, 2026

CVE-2026-1731: How Darktrace Sees the BeyondTrust Exploitation Wave Unfolding

Default blog imageDefault blog image

Note: Darktrace's Threat Research team is publishing now to help defenders. We will continue updating this blog as our investigations unfold.

Background

On February 6, 2026, the Identity & Access Management solution BeyondTrust announced patches for a vulnerability, CVE-2026-1731, which enables unauthenticated remote code execution using specially crafted requests.  This vulnerability affects BeyondTrust Remote Support (RS) and particular older versions of Privileged Remote Access (PRA) [1].

A Proof of Concept (PoC) exploit for this vulnerability was released publicly on February 10, and open-source intelligence (OSINT) reported exploitation attempts within 24 hours [2].

Previous intrusions against Beyond Trust technology have been cited as being affiliated with nation-state attacks, including a 2024 breach targeting the U.S. Treasury Department. This incident led to subsequent emergency directives from  the Cybersecurity and Infrastructure Security Agency (CISA) and later showed attackers had chained previously unknown vulnerabilities to achieve their goals [3].

Additionally, there appears to be infrastructure overlap with React2Shell mass exploitation previously observed by Darktrace, with command-and-control (C2) domain  avg.domaininfo[.]top seen in potential post-exploitation activity for BeyondTrust, as well as in a React2Shell exploitation case involving possible EtherRAT deployment.

Darktrace Detections

Darktrace’s Threat Research team has identified highly anomalous activity across several customers that may relate to exploitation of BeyondTrust since February 10, 2026. Observed activities include:

Outbound connections and DNS requests for endpoints associated with Out-of-Band Application Security Testing; these services are commonly abused by threat actors for exploit validation.  Associated Darktrace models include:

  • Compromise / Possible Tunnelling to Bin Services

Suspicious executable file downloads. Associated Darktrace models include:

  • Anomalous File / EXE from Rare External Location

Outbound beaconing to rare domains. Associated Darktrace models include:

  • Compromise / Agent Beacon (Medium Period)
  • Compromise / Agent Beacon (Long Period)
  • Compromise / Sustained TCP Beaconing Activity To Rare Endpoint
  • Compromise / Beacon to Young Endpoint
  • Anomalous Server Activity / Rare External from Server
  • Compromise / SSL Beaconing to Rare Destination

Unusual cryptocurrency mining activity. Associated Darktrace models include:

  • Compromise / Monero Mining
  • Compromise / High Priority Crypto Currency Mining

And model alerts for:

  • Compromise / Rare Domain Pointing to Internal IP

IT Defenders: As part of best practices, we highly recommend employing an automated containment solution in your environment. For Darktrace customers, please ensure that Autonomous Response is configured correctly. More guidance regarding this activity and suggested actions can be found in the Darktrace Customer Portal.  

Appendices

Potential indicators of post-exploitation behavior:

·      217.76.57[.]78 – IP address - Likely C2 server

·      hXXp://217.76.57[.]78:8009/index.js - URL -  Likely payload

·      b6a15e1f2f3e1f651a5ad4a18ce39d411d385ac7  - SHA1 - Likely payload

·      195.154.119[.]194 – IP address – Likely C2 server

·      hXXp://195.154.119[.]194/index.js - URL – Likely payload

·      avg.domaininfo[.]top – Hostname – Likely C2 server

·      104.234.174[.]5 – IP address - Possible C2 server

·      35da45aeca4701764eb49185b11ef23432f7162a – SHA1 – Possible payload

·      hXXp://134.122.13[.]34:8979/c - URL – Possible payload

·      134.122.13[.]34 – IP address – Possible C2 server

·      28df16894a6732919c650cc5a3de94e434a81d80 - SHA1 - Possible payload

References:

1.        https://nvd.nist.gov/vuln/detail/CVE-2026-1731

2.        https://www.securityweek.com/beyondtrust-vulnerability-targeted-by-hackers-within-24-hours-of-poc-release/

3.        https://www.rapid7.com/blog/post/etr-cve-2026-1731-critical-unauthenticated-remote-code-execution-rce-beyondtrust-remote-support-rs-privileged-remote-access-pra/

Continue reading
About the author
Emma Foulger
Global Threat Research Operations Lead
Your data. Our AI.
Elevate your network security with Darktrace AI