BeigeBurrow: New Go-Based Covert C2 Agent Deployed via Active Directory RCE CVE-2026-33826

A newly documented post-exploitation tool called BeigeBurrow has been identified in active intrusions following exploitation of CVE-2026-33826, the Windows Active Directory remote code execution vulnerability patched in Microsoft’s April 2026 Patch Tuesday update. BeigeBurrow is a Go-based Windows binary that establishes a persistent, multiplexed covert relay channel over port 443 using HashiCorp’s open-source Yamux library, enabling attackers to maintain command-and-control communications that blend into enterprise encrypted traffic and evade domain-based blocking.

CVE-2026-33826: Exploitation Confirmed in the Wild

CVE-2026-33826 is an improper input validation vulnerability in the Windows Active Directory RPC service that allows an authenticated attacker with low privileges to execute arbitrary code over an adjacent network, without user interaction. Microsoft rated it CVSS 8.8 and patched it in the April 15, 2026 Patch Tuesday release.

A proof-of-concept was published on April 16, 2026 — one day after the patch. As of April 21, 2026, exploitation in active intrusions has been confirmed. The attack requires the attacker to be network-adjacent to the domain controller and authenticated to the domain (low-privilege credentials are sufficient), making it accessible to any threat actor who has obtained a valid domain account, a common prerequisite in enterprise intrusions.

BeigeBurrow Technical Profile

BeigeBurrow is a Go-compiled Windows PE binary typically named agent.exe. Its command-and-control mechanism uses HashiCorp’s Yamux, a Go multiplexing library designed for legitimate distributed systems use, to create multiple logical streams over a single TCP connection to an attacker-controlled relay. The connection exits over port 443 — standard HTTPS traffic — and the Yamux framing is encapsulated within what appears to be normal TLS traffic from the perspective of network inspection tools that do not perform deep packet inspection of legitimate encryption.

Observed characteristics:

• Outbound TCP port 443 connections from the process agent.exe to external IP addresses not matching known SaaS or cloud provider ranges
• Long-lived persistent connections (hours to days) that do not correspond to interactive browsing or application traffic patterns
• Internal discovery activity originating from the BeigeBurrow process following successful relay establishment — the attacker begins Active Directory enumeration and lateral movement once the C2 channel is confirmed

At least two separate enterprise intrusions have confirmed BeigeBurrow activity, with internal AD reconnaissance proceeding within minutes of initial relay establishment.

Active Directory as the Persistent Attack Surface

The combination of CVE-2026-33826 and BeigeBurrow illustrates the persistent value Active Directory represents as an attack surface. Domain controllers are the identity control plane for virtually every Windows-based enterprise; code execution on a domain controller provides access to credential material, group membership, Group Policy, and the trust fabric that connects all domain-joined systems.

BeigeBurrow’s use of port 443 and Yamux multiplexing is specifically calibrated to domain controller environments: most security operations centres do not expect or monitor for Yamux-framed communications from domain controller processes, and outbound port 443 connections from DCs are common enough — for updates, telemetry, and authentication services — that volume-based detection may not surface the anomaly without process-attribution context.

Detection

Defenders can identify BeigeBurrow activity through the following:

• Process-attributed network connections: Alert on agent.exe or any non-standard binary making persistent outbound TCP 443 connections from domain controllers or other high-privilege servers. This requires endpoint telemetry that associates network connections with spawning processes.
• Yamux framing signatures: The Yamux protocol has identifiable header structure. Network detection rules targeting Yamux framing within TLS sessions (via JA3/JA4 fingerprinting or TLS metadata analysis) can identify potential BeigeBurrow channels distinct from legitimate HTTPS.
• Post-exploitation AD enumeration: Alert on LDAP queries for domain user enumeration, computer account listing, and group membership queries originating from processes inconsistent with legitimate AD management tooling (ADExplorer, RSAT, authorised monitoring agents).
• CVE-2026-33826 exploitation indicators: Review domain controller authentication event logs for authenticated RPC calls with anomalous parameters consistent with the exploit chain; Sigma rules have been published for this activity.

Recommended Actions

• Patch immediately: Apply the April 2026 Patch Tuesday update containing the CVE-2026-33826 fix to all domain controllers. This removes the initial access vector. Any domain controller still running a pre-April 15 Windows Server build should be treated as a high-priority patching target today.
• Hunt for BeigeBurrow in existing logs: Review the past 30 days of endpoint telemetry on domain controllers for agent.exe process creation, unexpected Go-compiled binaries, and persistent outbound port 443 connections from DC-class hosts.
• Segment domain controller network access: Validate that domain controllers do not have unrestricted outbound internet access — DC-to-internet communications should be proxied and inspected, with alerts on first-seen external destinations.
• Audit domain privilege changes: Review AD audit logs for privilege escalation events, new Domain Admin or Enterprise Admin additions, and service account modifications that may indicate attacker preparation following exploitation.