GreyNoise analysis reveals that a single IP address on PROSPERO's bulletproof hosting infrastructure is responsible for 83% of exploitation attempts targeting Ivanti EPMM vulnerabilities, with attackers using sophisticated fingerprinting techniques to identify vulnerable targets.
A single IP address on bulletproof hosting infrastructure is responsible for the vast majority of exploitation attempts targeting Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, according to new threat intelligence analysis that reveals the scale and sophistication of ongoing attacks.
Threat intelligence firm GreyNoise has identified that 83% of all exploitation sessions targeting CVE-2026-1281 in Ivanti EPMM originated from one source: the IP address 193.24.123[.]42. Between February 1 and 9, 2026, GreyNoise recorded 417 total exploitation sessions from 8 unique source IP addresses, with 346 of those sessions coming from this single host.
[IMAGE:1]
The Scale of the Attack
The concentration of attacks from a single IP is particularly concerning given the critical nature of the vulnerabilities. CVE-2026-1281, along with CVE-2026-1340, could allow unauthenticated remote code execution on affected systems. These vulnerabilities were disclosed after reports emerged that threat actors had already begun exploiting them in the wild.
What makes this campaign especially sophisticated is the attacker's approach to reconnaissance. GreyNoise reports that 85% of exploitation sessions included DNS beaconing to confirm target vulnerability without deploying malware or exfiltrating data. This "verify first, deploy later" strategy is consistent with initial access broker operations, where threat actors establish footholds to sell or hand off access for financial gain.
Multi-Vector Exploitation Campaign
Analysis of the malicious IP revealed an even broader campaign. The same host was simultaneously exploiting three other CVEs across unrelated software products:
- CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions
- CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions
- CVE-2025-24799 (GLPI) - 200 sessions
"The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants," GreyNoise noted. "This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling."
Bulletproof Hosting Infrastructure
The attacks are originating from PROSPERO, a bulletproof hosting provider that GreyNoise has linked to another autonomous system called Proton66. This infrastructure has a documented history of distributing various types of malware, including:
- GootLoader
- Matanbuchus
- SpyNote
- Coper (aka Octo)
- SocGholish
Sleeper Shell Campaign
Adding to the threat landscape, cybersecurity company Defused Cyber reported a "sleeper shell" campaign targeting compromised EPMM instances. The attackers deployed a dormant in-memory Java class loader to the path "/mifs/403.jsp" on affected systems.
"That pattern is significant," Defused Cyber noted. "OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later."
European Impact
The exploitation campaign has already impacted multiple European organizations. Since Ivanti acknowledged the vulnerabilities, several agencies have disclosed they were targeted:
- Netherlands' Dutch Data Protection Authority (AP)
- Council for the Judiciary
- European Commission
- Finland's Valtori
Mitigation Recommendations
Organizations running Ivanti EPMM are urged to take immediate action:
- Apply the available security patches immediately
- Audit all internet-facing Mobile Device Management (MDM) infrastructure
- Review DNS logs for OAST-pattern callbacks
- Monitor for the "/mifs/403.jsp" path on EPMM instances
- Block PROSPERO's autonomous system (AS200593) at the network perimeter
"EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation," GreyNoise warned. "Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure."
The concentration of attacks from a single source, combined with sophisticated fingerprinting and multi-CVE exploitation, demonstrates the evolving nature of vulnerability exploitation campaigns. The use of bulletproof hosting infrastructure and the "verify first" approach suggests these operations are well-resourced and strategically focused on establishing persistent access rather than immediate data theft.
Comments
Please log in or register to join the discussion