VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

    Friday, February 20, 2026 In: Threat Research Print

    Date: 02/20/2026

    Severity: Medium

    Summary

    VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731) details active exploitation of a pre-authentication RCE flaw in BeyondTrust Remote Support software that enables attackers to execute OS-level commands and fully compromise affected systems. Observed activity includes reconnaissance, account creation, webshell deployment, C2 communications, lateral movement, and data exfiltration, with tools such as VShell and SparkRAT used to maintain persistent access. The campaign has impacted multiple sectors across several countries, prompting urgent remediation guidance after the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, with thousands of exposed instances identified globally.

    Indicators of Compromise (IOC) List

    URLs/Domains

    45.61.150.96/4444

    144.172.103.200/4444

    138.197.14.95/ws

    http://64.31.28.221/support

    aliyundunupdate.xyz:8084/slt

    d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro

    q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com

    http://134.122.13.34:8979/c

    http://82.29.53.187:8778/app_cli

    https://transfer.weepee.io/7nZw7/blue.drx

    http://85.155.186.121/access

    https://temp.sh/tQTSs/storm.exe

    https://64.95.10.115:23011/update.sh

    https://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun

    https://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.ps1

    http://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro

    https://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&app=76049110434275449312180081368257747094

    https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz

    IP Address

    23.162.40.187

    37.19.221.180

    45.61.150.96

    70.23.0.66

    82.29.53.187

    82.29.72.16

    83.138.53.139

    85.155.186.121

    92.223.44.134

    98.10.233.76

    134.122.13.34

    138.197.14.95

    142.111.152.50

    144.172.103.200

    155.2.215.64

    178.128.212.209

    179.43.146.42

    45.61.150.96

    Hash

    9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350

    98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b

    66cceb2c2f1d9988b501832fd3b559775982e2fce4ab38fc4ffe71b74eafc726

    679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb

    4762e944a0ce1f9aef243e11538f84f16b6f36560ed6e32dfd9a5f99e17e8e50

    98442387d466f27357d727b3706037a4df12a78602b93df973b063462a677761

    cc2bc3750cc5125a50466f66ae4f2bedf1cac0e43477a78ed2fd88f3e987a292

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce

    0ecc867ce916d01640d76ec03de24d1d23585eb582e9c48a0364c62a590548ac

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://temp.sh/tQTSs/storm.exe" or siteurl like "https://temp.sh/tQTSs/storm.exe" or url like "https://temp.sh/tQTSs/storm.exe" or domainname like "d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro" or siteurl like "d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro" or url like "d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro" or domainname like "https://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.ps1" or siteurl like "https://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.ps1" or url like "https://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.ps1" or domainname like "https://transfer.weepee.io/7nZw7/blue.drx" or siteurl like "https://transfer.weepee.io/7nZw7/blue.drx" or url like "https://transfer.weepee.io/7nZw7/blue.drx" or domainname like "http://82.29.53.187:8778/app_cli" or siteurl like "http://82.29.53.187:8778/app_cli" or url like "http://82.29.53.187:8778/app_cli" or domainname like "https://64.95.10.115:23011/update.sh" or siteurl like "https://64.95.10.115:23011/update.sh" or url like "https://64.95.10.115:23011/update.sh" or domainname like "q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com" or siteurl like "q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com" or url like "q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com" or domainname like "https://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun" or siteurl like "https://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun" or url like "https://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun" or domainname like "http://134.122.13.34:8979/c" or siteurl like "http://134.122.13.34:8979/c" or url like "http://134.122.13.34:8979/c" or domainname like "http://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro" or siteurl like "http://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro" or url like "http://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro" or domainname like "45.61.150.96/4444" or siteurl like "45.61.150.96/4444" or url like "45.61.150.96/4444" or domainname like "144.172.103.200/4444" or siteurl like "144.172.103.200/4444" or url like "144.172.103.200/4444" or domainname like "138.197.14.95/ws" or siteurl like "138.197.14.95/ws" or url like "138.197.14.95/ws" or domainname like "http://64.31.28.221/support" or siteurl like "http://64.31.28.221/support" or url like "http://64.31.28.221/support" or domainname like "aliyundunupdate.xyz:8084/slt" or siteurl like "aliyundunupdate.xyz:8084/slt" or domainname like "http://85.155.186.121/access" or siteurl like "http://85.155.186.121/access" or url like "http://85.155.186.121/access" or domainname like "https://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&app=76049110434275449312180081368257747094" or siteurl like "https://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&app=76049110434275449312180081368257747094" or url like "https://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&app=76049110434275449312180081368257747094" or domainname like "https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz" or siteurl like "https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz" or url like "https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz"

    Detection Query 2 :

    dstipaddress IN ("155.2.215.64","82.29.53.187","142.111.152.50","23.162.40.187","144.172.103.200","83.138.53.139","179.43.146.42","134.122.13.34","178.128.212.209","37.19.221.180","45.61.150.96","70.23.0.66","82.29.72.16","85.155.186.121","92.223.44.134","98.10.233.76","138.197.14.95","45.61.150.96") or srcipaddress IN ("155.2.215.64","82.29.53.187","142.111.152.50","23.162.40.187","144.172.103.200","83.138.53.139","179.43.146.42","134.122.13.34","178.128.212.209","37.19.221.180","45.61.150.96","70.23.0.66","82.29.72.16","85.155.186.121","92.223.44.134","98.10.233.76","138.197.14.95","45.61.150.96")

    Detection Query 3 :

    sha256hash IN ("679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb","9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350","98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b","66cceb2c2f1d9988b501832fd3b559775982e2fce4ab38fc4ffe71b74eafc726","4762e944a0ce1f9aef243e11538f84f16b6f36560ed6e32dfd9a5f99e17e8e50","98442387d466f27357d727b3706037a4df12a78602b93df973b063462a677761","cc2bc3750cc5125a50466f66ae4f2bedf1cac0e43477a78ed2fd88f3e987a292","cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce","0ecc867ce916d01640d76ec03de24d1d23585eb582e9c48a0364c62a590548ac")

    Reference:

    https://unit42.paloaltonetworks.com/beyondtrust-cve-2026-1731/


    Tags

    MalwareVulnerabilityCVE-2026VSHellRATExploitExfiltration

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.