VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

A critical remote code execution vulnerability (CVE-2026-1731) in BeyondTrust remote support software is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary OS commands with high privileges. Observed attacker activities include network reconnaissance, account creation, webshell deployment, C2 traffic, backdoor installation, lateral movement, and data theft. Affected sectors include finance, legal, technology, education, retail, and healthcare across multiple countries. Attackers are using tools like SparkRAT, VShell, and custom scripts for exploitation. The vulnerability is related to a similar one from 2024, highlighting the need for improved input validation and defense-in-depth strategies for remote access platforms.

Pulse ID: 6997aaa340e2e5c6cdac145f
Pulse Link: https://otx.alienvault.com/pulse/6997aaa340e2e5c6cdac145f
Pulse Author: AlienVault
Created: 2026-02-20 00:28:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #DataTheft #Education #Healthcare #InfoSec #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #Rust #Vulnerability #bot #AlienVault