A single digital fingerprint appearing at the scene of countless cyber intrusions across the globe paints a stark picture of a highly coordinated and automated attack campaign targeting enterprises through a critical software vulnerability. Security researchers have tracked an overwhelming majority of exploit attempts against Ivanti’s Endpoint Manager Mobile (EPMM) software to one IP address, revealing a concentrated effort to compromise high-value networks on a massive scale. This activity highlights a sophisticated threat actor methodically building an arsenal of compromised systems, likely for future sale or coordinated cyberattacks. The sheer focus of this campaign underscores the immediate danger facing organizations that have yet to secure their systems against this well-documented threat.
When One Bad Actor Is Responsible for Four out of Five Attacks
An astonishing 83% of all observed exploitation attempts against Ivanti EPMM have been traced back to a single, persistent source. Threat intelligence firm GreyNoise documented 417 distinct exploitation sessions originating from just eight unique IP addresses between February 1 and February 9. Of those, a staggering 346 sessions emanated from the IP address 193.24.123[.]42, demonstrating an unusually high concentration of malicious activity from one actor.
This IP address is not an unknown entity operating from an obscure corner of the internet. It resides on infrastructure provided by PROSPERO, a bulletproof hosting service known for catering to malicious actors. Further investigation connects this infrastructure to the notorious Proton66 autonomous system (AS200593), which has a documented history of distributing dangerous malware families, including GootLoader, SpyNote, and SocGholish. This connection firmly places the attack’s origin within a known ecosystem of cybercrime.
Understanding the Target Why Ivanti EPMM Is in the Crosshairs
The attackers are leveraging a pair of critical vulnerabilities, tracked as CVE-2026-1281 and CVE-2026-1340, which together carry a near-perfect severity score of 9.8 out of 10. These flaws allow an unauthenticated attacker to execute arbitrary code on a vulnerable server remotely, effectively giving them complete control without needing any credentials. This type of vulnerability is considered a holy grail for attackers, providing a direct and powerful entry point into a target’s network.
Compromising an EPMM instance is a strategic prize for any threat actor. As a central hub for managing an entire organization’s mobile devices, from smartphones to tablets, it offers a powerful foothold deep inside the network. A successful breach provides an ideal platform for lateral movement, allowing attackers to bypass traditional network segmentation and security controls to access sensitive data and deploy further malware across the organization’s fleet of devices.
The real-world impact of these vulnerabilities became clear when several high-profile government entities confirmed they were targeted. The European Commission, the Dutch Data Protection Authority, and Finland’s government IT service center, Valtori, all reported attacks leveraging these flaws. These incidents serve as a potent reminder that the threat is not theoretical but an active and widespread risk to critical public and private sector organizations.
Anatomy of a Mass-Scale Automated Campaign
The evidence overwhelmingly points to a sophisticated, automated attack framework rather than a manual operation. The single attacking IP address was observed rotating through more than 300 unique user agent strings, mimicking various browsers and operating systems to evade simple detection rules. Simultaneously, the same source was found launching exploits against three other unrelated software vulnerabilities in Oracle WebLogic, GNU InetUtils, and GLPI, a behavior consistent with large-scale, automated scanning and exploitation tooling.
Instead of immediately deploying ransomware or exfiltrating data, the attacker’s primary strategy appears to be reconnaissance. The campaign heavily utilizes out-of-band application security testing (OAST), where DNS callbacks are used to simply confirm that a target is vulnerable. This technique allows the actor to quietly catalog exploitable systems across the internet, building a comprehensive list of potential victims for a later, more targeted attack or for sale on dark web forums. This methodology is a hallmark of initial access brokers, who specialize in breaching networks and selling that access to other criminal groups. Further analysis of compromised systems revealed the deployment of a dormant “sleeper shell” at the path /mifs/403.jsp. This lightweight web shell is designed to provide persistent, long-term access to the compromised server, allowing the attacker to return at any time to escalate their attack. By planting a stealthy backdoor, the actor ensures their access survives even if the initial vulnerability is patched, turning a momentary weakness into a lingering threat.
Insights from the Cyber Front Lines
Expert analysis from across the cybersecurity industry corroborates the assessment of a large-scale, automated campaign. Researchers at GreyNoise stated, “This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling.” This conclusion reinforces the idea that the attacks are not the work of a small-time hacker but a well-equipped and systematic operation.
The tactics observed align perfectly with the business model of initial access brokers. Defused Cyber, which first reported the sleeper shell, noted, “OAST callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later.” This insight into the attacker’s tradecraft explains the methodical, reconnaissance-first approach.
In response to the growing threat, Ivanti issued an urgent plea to its customers, emphasizing that patching is the most critical defense. A company spokesperson stressed that “customers who have not yet patched should do so immediately,” noting that the patch can be applied in seconds without downtime. Researchers have also confirmed that both CVEs are intrinsically linked, advising that “organizations should treat both CVEs as equally urgent.”
A Practical Defense Checklist for Ivanti EPMM Users
For organizations utilizing Ivanti EPMM, the path forward requires immediate and decisive action. The primary and most effective defense is to apply the security patches released by Ivanti without delay. This step closes the entry point the attackers are actively exploiting and is the foundational element of any effective response strategy.
Beyond patching, security teams should harden their network perimeter. Proactively blocking all traffic from the PROSPERO autonomous system (AS200593) can prevent this specific attacker from reaching internet-facing systems. While threat actors can change infrastructure, this measure provides an immediate layer of protection against the most active source of these attacks.
Finally, organizations must assume compromise and actively hunt for signs of a breach. This involves auditing DNS logs for any unusual out-of-band callbacks, which are a key indicator of the attacker’s reconnaissance activity. Furthermore, administrators should scan their EPMM instances for the presence of the sleeper shell path /mifs/403.jsp. Adopting a security posture that presumes critical, internet-facing vulnerabilities will be targeted within hours of public disclosure is no longer an option but a necessity in the current threat landscape. The speed and scale of this campaign have shown that a proactive and vigilant defensive strategy was essential to weathering this storm.