Arctic Wolf has observed malicious activities in the wild tied to suspected exploitation of CVE-2026-1731 of self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments.

ArcticWolf's platform is a central hub for cybersecurity professionals, offering insights into managed detection and response (MDR), threat intelligence, and security operations. Through articles, reports, and webinars, ArcticWolf offers insights into detecting and responding to cybersecurity threats effectively. Security analysts can learn about threat hunting, incident response strategies, and security best practices to protect organizations from cyberattacks.

Arctic Wolf

Arctic Wolf detected active exploitation of CVE-2026-1731 in self-hosted BeyondTrust Remote Support and Privileged Remote Access deployments. Attackers are deploying SimpleHelp RMM for persistence, creating domain admin accounts, performing Active Directory discovery, and using PSexec for lateral movement. Cloud customers were auto-patched on February 2, 2026, but self-hosted customers must manually apply patches. Managed Detection and Response detections are in place to identify this campaign.

Update: Arctic Wolf Observes Threat Campaign Targeting BeyondTrust Remote Support Following CVE-2026-1731 PoC Availability