A big chunk of the exploitation makes an attempt concentrating on a newly disclosed security flaw in Ivanti Endpoint Supervisor Cell (EPMM) might be traced again to a single IP deal with on bulletproof internet hosting infrastructure provided by PROSPERO.
Menace intelligence agency GreyNoise mentioned it recorded 417 exploitation periods from 8 distinctive supply IP addresses between February 1 and 9, 2026. An estimated 346 exploitation periods have originated from 193.24.123[.]42, accounting for 83% of all makes an attempt.
The malicious exercise is designed to take advantage of CVE-2026-1281 (CVSS scores: 9.8), one of many two crucial security vulnerabilities in EPMM, together with CVE-2026-1340 that may very well be exploited by an attacker to attain unauthenticated distant code execution. Late final month, Ivanti acknowledged it is conscious of a “very restricted variety of clients” who had been impacted following the zero-day exploitation of the problems.
Since then, a number of European companies, together with the Netherlands’ Dutch Data Safety Authority (AP), Council for the Judiciary, the European Fee, and Finland’s Valtori, have disclosed that they had been focused by unknown risk actors utilizing the vulnerabilities.
Additional evaluation has revealed that the identical host has been concurrently exploiting three different CVEs throughout unrelated software program –
“The IP rotates by means of 300+ distinctive consumer agent strings spanning Chrome, Firefox, Safari, and a number of working system variants,” GreyNoise mentioned. “This fingerprint range, mixed with concurrent exploitation of 4 unrelated software program merchandise, is according to automated tooling.”
It is value noting that PROSPERO is assessed to be linked to a different autonomous system known as Proton66, which has a historical past of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise additionally identified that 85% of the exploitation periods beaconed residence through the area title system (DNS) to substantiate “this goal is exploitable” with out deploying any malware or exfiltrating knowledge.
The disclosure comes days after Defused Cyber reported a “sleeper shell” marketing campaign that deployed a dormant in-memory Java class loader to compromised EPMM situations on the path “/mifs/403.jsp.” The cybersecurity firm mentioned the exercise is indicative of preliminary entry dealer tradecraft, the place risk actors set up a foothold to promote or hand off entry later for monetary achieve.
“That sample is critical,” it famous. “OAST [out-of-band application security testing] callbacks point out the marketing campaign is cataloging which targets are susceptible somewhat than deploying payloads instantly. That is according to preliminary entry operations that confirm exploitability first and deploy follow-on tooling later.”
Ivanti EPMM customers are really helpful to use the patches, audit internet-facing Cell System Administration (MDM) infrastructure, overview DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM situations, and block PROSPERO’s autonomous system (AS200593) on the community perimeter degree.
“EPMM compromise offers entry to gadget administration infrastructure for total organizations, making a lateral motion platform that bypasses conventional community segmentation,” GreyNoise mentioned. “Organizations with internet-facing MDM, VPN concentrators, or different distant entry infrastructure ought to function below the idea that crucial vulnerabilities face exploitation inside hours of disclosure.”
