A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO.
Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts.
The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along with CVE-2026-1340 that could be exploited by an attacker to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged it's aware of a "very limited number of customers" who were impacted following the zero-day exploitation of the issues.
Since then, multiple European agencies, including the Netherlands' Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland's Valtori, have disclosed that they were targeted by unknown threat actors using the vulnerabilities.
Further analysis has revealed that the same host has been simultaneously exploiting three other CVEs across unrelated software -
- CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions
- CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions
- CVE-2025-24799 (GLPI) - 200 sessions
"The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants," GreyNoise said. "This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling."
It's worth noting that PROSPERO is assessed to be linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise also pointed out that 85% of the exploitation sessions beaconed home via the domain name system (DNS) to confirm "this target is exploitable" without deploying any malware or exfiltrating data.
The disclosure comes days after Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances at the path "/mifs/403.jsp." The cybersecurity company said the activity is indicative of initial access broker tradecraft, where threat actors establish a foothold to sell or hand off access later for financial gain.
"That pattern is significant," it noted. "OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later."
Ivanti EPMM users are recommended to apply the patches, audit internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level.
"EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation," GreyNoise said. "Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure."
Update
Following the publication of the story, an Ivanti spokesperson shared the below statement with The Hacker News -
Ivanti's recommendation remains the same: customers who have not yet patched should do so immediately, and then review their appliance for any signs of exploitation that may have occurred prior to patching. Applying the patch is the most effective way to prevent exploitation, regardless of how IoCs change over time, especially once a POC is available. The patch requires no downtime and takes only seconds to apply.
Ivanti has provided customers with high-fidelity indicators of compromise, technical analysis at disclosure, and an Exploitation Detection script developed with NCSC-NL, and continues to support customers as we respond to this threat.
The GreyNoise research team told The Hacker News via email that CVE-2026-1281 and CVE-2026-1340 were disclosed by Ivanti as related code injection vulnerabilities in different EPMM components, and that it's tracking both the CVEs under a single deletion tag (CVE-2026-1281). "Given the relationship between the two, organizations should treat both CVEs as equally urgent," it added.
(The story was updated after publication to include responses from Ivanti and GreyNoise.)
