Single IP Behind 83% of Ivanti EPMM Attacks, Sleepers Found

A single IP address on bulletproof hosting infrastructure is responsible for the vast majority of exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), according to new telemetry from GreyNoise. The finding comes as researchers discover dormant "sleeper" webshells on compromised systems—a tactic consistent with initial access brokers preparing to sell footholds.

We covered the initial Ivanti EPMM zero-day disclosure when CISA added it to the KEV catalog in late January. The exploitation picture has since become much clearer.

Attack Attribution and Infrastructure

GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1-9. One address—193.24.123[.]42—accounted for approximately 346 of those sessions, representing 83% of all observed attempts.

The malicious IP operates on infrastructure provided by PROSPERO, an autonomous system (AS200593) assessed as linked to Proton66. This network has previously served as distribution infrastructure for GootLoader, Matanbuchus, SpyNote, and Coper malware.

What makes this particularly concerning: the same host simultaneously attacked four unrelated CVEs during the same window, including Oracle WebLogic, GNU InetUtils telnetd, and GLPI. This pattern suggests automated scanning infrastructure rather than a targeted campaign.

Sleeper Webshell Campaign

Researchers at Defused Cyber reported a troubling finding: some compromised EPMM instances contain dormant in-memory Java class loaders rather than active backdoors. These "sleeper shells" remain inactive until triggered—a hallmark of initial access broker operations.

The tactic makes sense economically. Brokers establish persistent access to high-value targets, then sell that access on dark web marketplaces to ransomware operators or nation-state actors. A dormant implant is harder to detect during routine security monitoring.

Organizations that patched the CVE-2026-1281 vulnerability should not assume they're clean. Post-exploitation artifacts may persist even after the vulnerability is closed.

Confirmed Victims

Several European government agencies have confirmed targeting:

• Netherlands' Dutch Data Protection Authority (AP)
• Council for the Judiciary (Rvdr)
• European Commission
• Finland's Valtori

The Dutch DPA and Rvdr confirmed their EPMM instances were breached on or before January 29—likely before patches were available.

Evasion Techniques

The primary attacker employed more than 300 unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants. This indicates automated tooling designed to evade basic fingerprinting defenses.

Notably, 85% of sessions involved DNS beaconing without payload deployment or data exfiltration. The attackers appear focused on establishing initial access and validating exploitability rather than immediate data theft.

Detection Guidance

Network defenders should:

1. Review DNS logs for out-of-band callbacks to unfamiliar domains
2. Search web logs for requests to /mifs/403.jsp paths
3. Block AS200593 (PROSPERO) at the network perimeter
4. Hunt for in-memory Java artifacts that persist across EPMM restarts
5. Apply patches immediately if not already done—Ivanti notes no downtime is required

The broader pattern here fits what we've seen with other edge device vulnerabilities—internet-facing management interfaces remain prime targets for both opportunistic scanning and targeted exploitation.

Why This Matters

Mobile device management platforms like EPMM sit at a critical junction in enterprise architecture. They have visibility into managed endpoints, store credentials, and often bypass standard network segmentation. A compromised MDM server gives attackers a launching point into the devices it manages.

The sleeper webshell discovery is particularly troubling. Organizations may believe they've contained the incident after patching, only to find weeks later that access was sold to a ransomware crew. Security teams should treat EPMM compromise as an ongoing hunt rather than a closed incident.