What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Defensive-Playbook

0 sources verified·11 min read

By Lyrie Threat Intelligence·4/27/2026

The RMM Trap: Definitive Defensive Playbook Against RMM Platform Exploitation and Lateral Movement

CVE-2026-1731 + The Gentlemen Ransomware Kill Chain — April 2026

TL;DR

Remote Monitoring and Management (RMM) platforms were designed to give IT administrators God-mode access to every endpoint in an organization. When attackers own the RMM, they own everything it touches. CVE-2026-1731 — a critical unauthenticated RCE in BeyondTrust's Bomgar RMM — has been actively exploited since February 2026, turning MSP and enterprise RMM infrastructure into ransomware launchpads. The Gentlemen RaaS group is running a textbook post-exploitation chain: SystemBC SOCKS5 proxy → Cobalt Strike → Mimikatz credential harvesting → GPO-based domain-wide ransomware deployment. With 1,570+ confirmed corporate victims in the SystemBC botnet and LockBit LB3 and The Gentlemen lockers confirmed in the wild against patched and unpatched systems alike, this is an active mass-casualty event. This playbook tells you exactly how to detect each phase and respond faster than the attackers can pivot.

Background

Why RMM Is the Perfect Attack Target

RMM platforms sit at the apex of enterprise access hierarchies. They typically run as SYSTEM or root, maintain persistent connections to every managed endpoint, bypass most endpoint controls by design, and are trusted by network monitoring stacks to generate high volumes of legitimate traffic. For an attacker, compromising an RMM server is equivalent to getting hired as a sysadmin without the background check.

The attack surface has grown dramatically alongside MSP consolidation. A single Bomgar or ConnectWise server can have privileged access to hundreds of client environments — making one critical RCE into a multi-tenant catastrophe.

CVE-2026-1731: BeyondTrust Bomgar RMM Unauthenticated RCE

CVE: CVE-2026-1731

CVSS: 9.8 (Critical)

Vendor: BeyondTrust (Bomgar)

Disclosed: February 2026

Status: Actively exploited in the wild

Affected versions: Bomgar RMM prior to the February 2026 patch release

The vulnerability resides in Bomgar's web-facing API endpoint, where insufficient input validation allows an unauthenticated remote attacker to achieve arbitrary code execution in the context of the RMM service process — which typically runs with SYSTEM-level privileges on Windows. There is no authentication requirement: the exploit chain works against the default installation without credentials.

Within 48 hours of disclosure, Huntress SOC began logging exploitation waves. Threat actors identified the vulnerability as a near-perfect initial access vehicle: a single server compromise translates directly into operator-grade access across all managed endpoints.

The wave of exploitation that materialized in mid-to-late April 2026 correlated directly with The Gentlemen RaaS affiliate activity and with The Gentlemen's toolchain: SystemBC proxy malware, Cobalt Strike, Mimikatz, and their Go-based multi-OS lockers.

Technical Analysis

Phase 1: Initial Access via CVE-2026-1731

Attackers initiate contact with the Bomgar RMM web API. The exploit sends a crafted HTTP request to a vulnerable endpoint, triggering unsanitized deserialization or command injection (exact technical details subject to responsible disclosure timing). The result is OS command execution as SYSTEM without valid credentials.

What happens in the first 90 seconds:

A PowerShell or cmd.exe process spawns under the Bomgar service context
A staging directory is created (often %TEMP% or C:\ProgramData\[random])
A dropper downloads the first-stage payload via HTTPS to attacker infrastructure
The Bomgar event log may show a session creation event with an anomalous source IP

Observable artifacts at exploitation:

Process: BomgarRMM.exe → spawns → powershell.exe -encodedcommand [base64]
Network: POST to /api/[vulnerable-endpoint] from external IP
File: C:\ProgramData\[8-char-random]\[payload].exe created
Registry: Run key or scheduled task for persistence

Phase 2: SystemBC Deployment and SOCKS5 Tunneling

SystemBC is a sophisticated proxy malware that has been operational in ransomware ecosystems since 2020. In The Gentlemen affiliate campaigns observed by Check Point Research, SystemBC is deployed immediately after initial access to establish a covert C2 channel before EDR tools can react.

Technical characteristics of SystemBC:

Establishes SOCKS5 proxy tunnels from victim to C2 infrastructure
Uses a custom RC4-encrypted protocol for C2 communications (not standard SOCKS5 wire format)
Can receive and execute additional payloads — either written to disk or injected directly into memory via process hollowing
Typically targets 443 or 8443 as outbound ports to blend with HTTPS traffic
Communicates with hardcoded C2 IPs embedded in the binary (not domain-based — DNS blocking is ineffective alone)

The SystemBC C2 server observed in the April 2026 Gentlemen campaign had enrolled over 1,570 unique victims, the majority in corporate environments — consistent with MSP supply-chain infection patterns where one Bomgar compromise spawns dozens of downstream client infections.

Detection signatures for SystemBC:

Unexpected outbound SOCKS5 connections from server processes
RC4-pattern encrypted traffic on port 443/8443 that doesn't match TLS handshake structure
Child processes of Bomgar/RMM service processes making outbound network connections
SystemBC YARA rule (published by Check Point Research, April 20, 2026)

Phase 3: Cobalt Strike Beacon Staging

Once SystemBC establishes a stable covert tunnel, the affiliate loads a Cobalt Strike beacon through the SOCKS5 proxy. This provides the attacker with:

Interactive C2 with a low-and-slow heartbeat (default: 60s, customized to 120-300s in these campaigns)
Built-in post-exploitation modules: credential harvesting, privilege escalation, lateral movement
Traffic blending via malleable C2 profiles designed to mimic legitimate SaaS or CDN traffic

Cobalt Strike detection vectors in this campaign:

Beacon process injection into svchost.exe, explorer.exe, or RuntimeBroker.exe
Named pipe communication patterns (default: \\.\pipe\MSSE-[random])
Memory-resident shellcode without corresponding disk artifacts (fileless indicator)
HTTP/S C2 traffic with suspicious JA3/JA3S fingerprints
Sleep jitter patterns inconsistent with legitimate application behavior

Phase 4: Credential Harvesting with Mimikatz

Following C2 establishment, the affiliate runs Mimikatz for LSASS memory extraction. In the incident investigated by Check Point Research, Mimikatz output recovered from memory on compromised hosts showed access to:

Domain accounts with administrative privileges
Stored credentials from Windows Credential Manager (browser-saved passwords, mapped drive credentials, scheduled task credentials)
Kerberos tickets suitable for pass-the-ticket lateral movement
A hardcoded backdoor account added by the attacker using the password Camry@12345

The use of a static fallback credential (Camry@12345) is operationally significant: it means even if SystemBC is blocked, the attacker has established an alternative administrative access mechanism using a predictable password — an extremely detectable IOC if you're hunting for it.

Phase 5: Domain Controller Compromise and GPO Abuse

With domain credentials in hand, the affiliate moves to the Domain Controller. The attack chain progresses:

1. Pass-the-hash or pass-the-ticket lateral movement to the DC using harvested NTLM hashes or Kerberos tickets

2. Domain administrator account access — either via extracted credentials or token impersonation

3. Group Policy Object (GPO) creation or modification to push malware to all domain-joined endpoints simultaneously

The GPO payload in Gentlemen campaigns includes:

A PowerShell script that disables Windows Defender real-time monitoring
Broad exclusion additions to Defender (staging share, process paths)
Windows Firewall shutdown via netsh advfirewall set allprofiles state off
SMB1 re-enablement via Set-SmbServerConfiguration -EnableSMB1Protocol $true (restoring an attack vector Microsoft disabled by default)
LSA anonymous access loosening (registry modification enabling unauthenticated SAM enumeration)

This five-command PowerShell sequence — executed via GPO simultaneously across hundreds of endpoints — is the most operationally significant detection opportunity in the entire chain. If you catch it, you catch everything downstream.

Phase 6: Multi-Platform Ransomware Deployment

The Gentlemen RaaS provides affiliates with a complete locker portfolio:

Windows/Linux/NAS/BSD: Go-based lockers with cross-platform compilation
ESXi: C-language locker specifically optimized for VMware hypervisors (where a single encrypted VM is catastrophic)

Deployment follows the GPO execution: the ransomware binary is placed on a staging share, then executed on all GPO-affected endpoints simultaneously. The multi-platform support means organizations running mixed environments face simultaneous Windows, Linux, and ESXi encryption — a complexity that overwhelms most IR teams operating serially.

IOCs / Indicators

Network Indicators

| Type | Value | Context |

|------|-------|---------|

| C2 Protocol | RC4-encrypted SOCKS5 on TCP/443, TCP/8443 | SystemBC C2 channel |

| Cobalt Strike | JA3: a0e9f5d64349fb13191bc781f81f42e1 | Known CS JA3 fingerprint (malleable) |

| Backdoor credential | Password: Camry@12345 | Static attacker-added local admin |

| SMB | SMB1 traffic on TCP/445 | Re-enabled by attacker GPO script |

Host Indicators

| Type | Value | Context |

|------|-------|---------|

| Process tree | BomgarRMM.exe → powershell.exe | Initial exploitation |

| PowerShell commands | Set-MpPreference -DisableRealtimeMonitoring $true | Defender disable |

| PowerShell commands | Set-SmbServerConfiguration -EnableSMB1Protocol $true | SMB1 re-enable |

| PowerShell commands | netsh advfirewall set allprofiles state off | Firewall disable |

| Registry | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous = 0 | LSA loosening |

| File path | C:\ProgramData\[8-random-chars]\ | SystemBC/CS staging directory |

| Named pipe | \\.\pipe\MSSE-[random]-server | Cobalt Strike default pipe |

| YARA | Check Point Research SystemBC YARA rule (April 20, 2026) | SystemBC binary detection |

Active Exploitation Scope

Bomgar RMM instances exposed to the internet without the February 2026 patch
LockBit LB3 and The Gentlemen lockers confirmed as ransomware payloads
ESXi environments at elevated risk due to The Gentlemen's dedicated C-language ESXi locker

Lyrie Verdict

Threat level: CRITICAL — Active mass-exploitation in MSP and enterprise environments.

This attack chain is notable for three reasons Lyrie's research team considers structurally important:

1. The RMM vector eliminates perimeter security entirely. CVE-2026-1731 doesn't need phishing, credential theft, or social engineering. It goes directly from internet to SYSTEM. Every organization using Bomgar without the February patch is compromised-by-default until proven otherwise.

2. The GPO weaponization is machine-speed — humans can't intercept it manually. Once the attacker reaches a Domain Controller, the 90-second GPO execution window is too fast for human-in-the-loop SOC response. The simultaneous Defender disablement, SMB1 re-enable, firewall shutdown, and ransomware deployment across all endpoints exceeds human reaction time by design. Autonomous detection at the GPO modification event — not after ransomware artifacts appear — is the only viable response posture.

3. The Camry@12345 backdoor is a gift to defenders. Static attacker credentials are rare in mature ransomware operations. The presence of a hardcoded password suggests either affiliate laziness or operational speed pressure — either way, hunting for this credential across your AD accounts and Windows Credential Manager entries is a rapid infection indicator with near-zero false positives.

Lyrie's autonomous detection model flags the Phase 5 PowerShell GPO sequence within milliseconds of execution — before a single endpoint is affected downstream. This is exactly the machine-speed defense architecture that the current threat environment demands.

Defender Playbook

Immediate Actions (0-4 Hours)

1. Patch CVE-2026-1731 or take Bomgar offline

# Verify Bomgar version — check vendor advisory for patched version string
# If unpatched and internet-facing: block all inbound access immediately
# Firewall rule: deny all inbound to Bomgar web API port (default 6568/TCP and 443/TCP)

2. Audit for active compromise indicators

# Check for backdoor account with static credential
Get-LocalUser | Where-Object {$_.Enabled -eq $true} | 
  Select-Object Name, LastLogon, PasswordLastSet

# Hunt for Camry@12345 credential in Credential Manager
cmdkey /list | Select-String "Camry"

# Check Defender status across endpoints (via RMM or PSRemoting)
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, 
  IoavProtectionEnabled, AntispywareEnabled

3. Check for SMB1 re-enablement

Get-SmbServerConfiguration | Select-Object EnableSMB1Protocol
# Should be False — if True, assume compromise and begin IR

4. Audit Windows Firewall state

netsh advfirewall show allprofiles state
# Any profile showing "off" on a server: immediate escalation

5. Hunt for SystemBC network patterns

# SIEM query: outbound connections from RMM service process on non-standard ports
# Zeek/Suricata: flag RC4-pattern encrypted flows on 443/8443 without valid TLS handshake
# Threat hunt: process netstat — any SOCKS5 listener on servers

Detection Engineering (Deploy These Now)

Sigma rule — GPO PowerShell Defender disable:

title: Defender Disabled via PowerShell GPO Script
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'DisableRealtimeMonitoring $true'
      - 'Set-MpPreference -Disable'
      - 'EnableSMB1Protocol $true'
      - 'advfirewall set allprofiles state off'
  condition: selection
level: critical
tags:
  - attack.defense_evasion
  - attack.t1562.001

Sigma rule — LSASS memory access (Mimikatz pattern):

title: Suspicious LSASS Access for Credential Dumping
logsource:
  category: process_access
  product: windows
detection:
  selection:
    TargetImage: 'C:\Windows\System32\lsass.exe'
    GrantedAccess:
      - '0x1010'
      - '0x1410'
      - '0x1438'
      - '0x143a'
  filter:
    SourceImage:
      - 'C:\Windows\System32\werfault.exe'
      - 'C:\Windows\System32\WerFaultSecure.exe'
  condition: selection and not filter
level: high

Sigma rule — RMM service spawning unexpected child process:

title: RMM Service Anomalous Child Process
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|contains:
      - 'bomgar'
      - 'BomgarRMM'
      - 'bgserv'
    Image|contains:
      - 'powershell'
      - 'cmd.exe'
      - 'wscript'
      - 'cscript'
      - 'mshta'
  condition: selection
level: critical

Containment (Active Incident)

If exploitation confirmed:

1. Isolate the Bomgar server immediately — do not power off (preserve forensics), but firewall all inbound/outbound

2. Revoke all active RMM sessions — the attacker's session is indistinguishable from legitimate ones until the server is isolated

3. Force password reset on all domain accounts — especially any with DA or local admin rights, prioritizing those touched by Mimikatz (check 4624/4625 event logs for credential usage patterns matching the attack timeline)

4. Block SMB1 at the firewall tier — even if re-enabled by the attacker, reduce blast radius

5. Audit all GPOs modified in the past 72 hours:

Get-GPO -All | Where-Object {$_.ModificationTime -gt (Get-Date).AddHours(-72)} |
  Select-Object DisplayName, ModificationTime, Id

6. Deploy the Check Point SystemBC YARA rule across all endpoints via your AV/EDR platform

7. Hunt for the Camry@12345 credential in Active Directory and local accounts

Long-Term Hardening

| Control | Implementation | Priority |

|---------|---------------|----------|

| RMM network isolation | Place RMM server in dedicated VLAN, restrict internet exposure via allowlist | P0 |

| RMM authentication | Enforce MFA for all RMM console access, even internal | P0 |

| GPO change alerting | Alert on any GPO creation or modification via SIEM/SOAR | P0 |

| SMB1 permanent disable | Group Policy: Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | P1 |

| LSA protection | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL = 1 (mitigates Mimikatz LSASS access) | P1 |

| Credential Guard | Enable via UEFI/Group Policy — prevents credential extraction from LSASS memory | P1 |

| EDR tuning | Ensure EDR has tamper protection enabled — the GPO script targets Defender but tamper-protected EDR survives | P1 |

| RMM access reviews | Quarterly audit of which endpoints each RMM account can reach | P2 |

| Deception | Deploy honeypot RMM credentials — any authentication with a fake RMM credential = active threat hunt | P2 |

Sources

1. Check Point Research — "DFIR Report: The Gentlemen & SystemBC: A Sneak Peek Behind the Proxy" (April 20, 2026): https://research.checkpoint.com/2026/dfir-report-the-gentlemen/

2. BleepingComputer — "The Gentlemen ransomware now uses SystemBC for bot-powered attacks" (April 22, 2026): https://www.bleepingcomputer.com/news/security/the-gentlemen-ransomware-now-uses-systembc-for-bot-powered-attacks/

3. TechJack Solutions — "CVE-2026-1731: Active RCE Exploitation in Bomgar RMM Turns Privileged Access into Ransomware Launchpad": https://techjacksolutions.com/scc-intel/cve-2026-1731-active-rce-exploitation-in-bomgar-rmm-turns-privileged-access-into-ransomware-launchpad/

4. PurpleOps Ransomware Activity Tracker 2026 — Q2 April 21 Edition: https://purple-ops.io/blog/ransomware-victims-q2-apr-21

5. NCSA Thailand Cyber Threat Intelligence — April 22, 2026 Bulletin: https://webboard-nsoc.ncsa.or.th/topic/2816/cyber-threat-intelligence-22-april-2026

6. Dark Reading — "Surge in Bomgar RMM Exploitation Demonstrates Supply Chain Risk": https://www.darkreading.com/cyberattacks-data-breaches/surge-bomgar-rmm-exploitation-demonstrates-supply-chain-risk

Lyrie.ai Cyber Research Division — Senior Analyst Desk