CVE-2026-28800
📋 TL;DR
CVE-2026-28800 is a critical remote code execution vulnerability in Natro Macro (an AutoHotkey-based Bee Swarm Simulator macro) that allows attackers to gain complete control of affected systems. Anyone using Discord Remote Control in non-private channels with versions before 1.1.0 is vulnerable. Attackers can execute arbitrary commands, access files, and control keyboard/mouse inputs remotely.
💻 Affected Systems
- Natro Macro
📦 What is this software?
Natro Macro by Natroteam
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise including data theft, ransomware deployment, credential harvesting, and persistent backdoor installation.
Likely Case
Unauthorized remote control of gaming systems, credential theft from logged-in accounts, and installation of additional malware.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are followed, though local system compromise remains possible.
🎯 Exploit Status
Exploitation requires Discord message sending permissions in the vulnerable channel. The advisory includes technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.0
Vendor Advisory: https://github.com/NatroTeam/NatroMacro/security/advisories/GHSA-ph9r-2qjm-ghvg
Restart Required: Yes
Instructions:
1. Download Natro Macro version 1.1.0 or later from official sources. 2. Stop any running instances of Natro Macro. 3. Install the updated version. 4. Restart the application.
🔧 Temporary Workarounds
Disable Discord Remote Control
windowsTurn off the Discord Remote Control feature in Natro Macro settings
Use Private Discord Channels
allOnly enable Discord Remote Control in private channels with strict access controls
🧯 If You Can't Patch
- Immediately disable Discord Remote Control feature in all Natro Macro instances
- Block Discord API connections at network level or restrict to private channels only
🔍 How to Verify
Check if Vulnerable:
Check Natro Macro version and verify if Discord Remote Control is enabled in non-private channels. Review Discord channel permissions.Check Version:
Check Natro Macro interface or configuration files for version informationVerify Fix Applied:
Confirm Natro Macro version is 1.1.0 or higher. Verify Discord Remote Control behavior matches patched version expectations.📡 Detection & Monitoring
Log Indicators:
- Unusual AutoHotkey process activity
- Suspicious Discord API calls from gaming systems
- Unexpected system commands executed
Network Indicators:
- Discord API connections from gaming systems to non-private channels
- Unusual outbound connections following Discord activity
SIEM Query:
Process creation where parent_process contains 'AutoHotkey' AND command_line contains suspicious patterns