VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Unit 42 reports active exploitation of CVE-2026-1731 — a critical (CVSS 9.9) pre-authentication RCE in BeyondTrust Remote Support's thin-scc-wrapper — enabling attackers to execute OS commands as the site user; observed post-exploitation activity includes account creation, webshell deployment, C2 traffic, backdoors (SparkRAT, VShell), lateral movement and data exfiltration across multiple sectors and countries, with hundreds to thousands of potentially exposed instances and detailed IoCs and mitigation guidance provided.