A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO.
Threat intelligence firm GreyNoise said it recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploitation sessions have originated from 193.24.123[.]42, accounting for 83% of all attempts.
The malicious activity is designed to exploit CVE-2026-1281 (CVSS scores: 9.8), one of the two critical security vulnerabilities in EPMM, along with CVE-2026-1340 that could be exploited by an attacker to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged it's aware of a "very limited number of customers" who were impacted following the zero-day exploitation of the issues.
Since then, multiple European agencies, including the Netherlands' Dutch Data Protection Authority (AP), Council for the Judiciary, the European Commission, and Finland's Valtori, have disclosed that they were targeted by unknown threat actors using the vulnerabilities.
Further analysis has revealed that the same host has been simultaneously exploiting three other CVEs across unrelated software -
- CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions
- CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions
- CVE-2025-24799 (GLPI) - 200 sessions
"The IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants," GreyNoise said. "This fingerprint diversity, combined with concurrent exploitation of four unrelated software products, is consistent with automated tooling."
It's worth noting that PROSPERO is assessed to be linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise also pointed out that 85% of the exploitation sessions beaconed home via the domain name system (DNS) to confirm "this target is exploitable" without deploying any malware or exfiltrating data.
The disclosure comes days after Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances at the path "/mifs/403.jsp." The cybersecurity company said the activity is indicative of initial access broker tradecraft, where threat actors establish a foothold to sell or hand off access later for financial gain.
"That pattern is significant," it noted. "OAST [out-of-band application security testing] callbacks indicate the campaign is cataloging which targets are vulnerable rather than deploying payloads immediately. This is consistent with initial access operations that verify exploitability first and deploy follow-on tooling later."
Ivanti EPMM users are recommended to apply the patches, audit internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level.
"EPMM compromise provides access to device management infrastructure for entire organizations, creating a lateral movement platform that bypasses traditional network segmentation," GreyNoise said. "Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure."
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.