Single IP Dominates Ivanti EPMM Exploit Wave in Alarming Cyber Attack Campaign

Cybersecurity researchers have uncovered a disturbing pattern in the exploitation of critical Ivanti Endpoint Manager Mobile vulnerabilities, with a staggering 83% of all attack attempts traced back to one IP address on Russian-linked bulletproof hosting infrastructure.

The Numbers Tell a Chilling Story

Between February 1 and 9, 2026, cybersecurity firm GreyNoise documented 417 exploitation sessions targeting the now-infamous CVE-2026-1281 and CVE-2026-1340 vulnerabilities in Ivanti’s mobile device management platform. Of these, an astonishing 346 sessions—representing over four out of every five attempts—originated from a single source: 193.24.123.42.

“This isn’t just opportunistic scanning,” warns GreyNoise’s threat intelligence team. “This is concentrated, automated exploitation at industrial scale.”

Bulletproof Hosting: The Criminal’s Best Friend

The malicious IP address belongs to PROSPERO, a bulletproof hosting provider operating from Russia. For those unfamiliar with the term, bulletproof hosting services deliberately ignore abuse complaints and legal takedown requests, providing cybercriminals with a safe haven to launch attacks.

What makes this particularly concerning is PROSPERO’s connection to Proton66, another autonomous system with a notorious history. Proton66 infrastructure has previously distributed malware families including GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish—malware used in everything from corporate espionage to banking credential theft.

Not Just Ivanti: A Multi-Target Assault

The attacker isn’t limiting themselves to Ivanti vulnerabilities. Analysis reveals that the same IP address is simultaneously exploiting three additional CVEs across completely unrelated software products. This parallel exploitation strategy suggests sophisticated, automated tooling rather than manual hacking attempts.

Adding to the sophistication, the malicious host rotates through over 300 unique user agent strings, mimicking everything from Chrome and Firefox browsers to various operating system variants. This fingerprint diversity makes detection and blocking significantly more challenging for defenders.

The Silent Reconnaissance Phase

Perhaps most concerning is the nature of these attacks. GreyNoise reports that 85% of exploitation sessions perform DNS-based beaconing to confirm target vulnerability without actually deploying malware or exfiltrating data. This “silent scanning” approach allows attackers to build comprehensive lists of vulnerable systems before launching full-scale intrusions.

Cybersecurity firm Defused Cyber has identified what they call a “sleeper shell” campaign, where attackers deploy dormant in-memory Java class loaders to compromised EPMM instances at the path “/mifs/403.jsp.” This tactic is classic initial access broker behavior—establishing footholds to sell or transfer to other threat actors for financial gain.

“It’s initial access tradecraft,” explains Defused Cyber’s analysis. “They’re verifying exploitability first, then planning follow-on tooling deployment later.”

European Agencies Under Fire

The exploitation wave has already claimed victims. Multiple European governmental agencies have disclosed breaches, including the Netherlands’ Dutch Data Protection Authority (AP), the Council for the Judiciary, the European Commission, and Finland’s Valtori. All were targeted by unknown actors exploiting the Ivanti vulnerabilities.

Ivanti acknowledged awareness of “a very limited number of customers” impacted by zero-day exploitation, though the true scope may be significantly larger given the scale of scanning activity.

Critical Infrastructure at Risk

The implications extend far beyond individual organizations. EPMM compromise provides attackers with access to device management infrastructure across entire organizations, effectively bypassing traditional network segmentation. For industries relying on mobile device management—healthcare, finance, government, and critical infrastructure—this represents a potential lateral movement platform of unprecedented scale.

“Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities face exploitation within hours of disclosure,” GreyNoise warns.

Immediate Action Required

Security experts recommend a multi-layered response:

• Apply Ivanti’s emergency patches immediately—they require no downtime and take seconds to implement
• Audit all internet-facing MDM infrastructure for signs of compromise
• Monitor DNS logs for out-of-band application security testing (OAST) callback patterns
• Block PROSPERO’s autonomous system (AS200593) at network perimeter level
• Search for the /mifs/403.jsp path on all EPMM instances

Ivanti Responds

Following these revelations, Ivanti issued a statement emphasizing that patching remains the most effective mitigation. “Applying the patch is the most effective way to prevent exploitation, regardless of how indicators of compromise change over time,” the company stated, noting that their patches require no downtime and take only seconds to apply.

The company also highlighted collaboration with the UK’s National Cyber Security Centre (NCSC NL) to provide customers with high-fidelity indicators of compromise and an exploitation detection script.

The Bigger Picture

This incident underscores a troubling trend in cybersecurity: the weaponization of vulnerability disclosure timelines. With sophisticated actors ready to exploit weaknesses within hours of public disclosure, the window between patch release and potential compromise has narrowed to a dangerous degree.

As organizations race to secure their Ivanti deployments, one thing is clear: in today’s threat landscape, assumption of compromise is the new normal, and proactive defense has never been more critical.

Tags: Ivanti EPMM, CVE-2026-1281, CVE-2026-1340, bulletproof hosting, PROSPERO, Proton66, Russian cybercrime, zero-day exploitation, MDM security, GreyNoise, Defused Cyber, OAST callbacks, initial access broker, sleeper shell, critical infrastructure, cybersecurity emergency, vulnerability disclosure, automated exploitation, threat intelligence, network security, patch immediately

Viral Phrases: “Single IP dominates 83% of attacks”, “Bulletproof hosting’s dark side revealed”, “Silent scanning before the storm”, “Initial access brokers at work”, “European governments breached”, “Hours between patch and pwned”, “The new normal: assume compromise”, “MDM infrastructure under siege”, “Automated tooling at industrial scale”, “Russian-linked cybercrime infrastructure”, “Sleeper shells waiting to awaken”, “DNS beaconing reveals attacker strategy”, “Critical infrastructure in crosshairs”, “Patch or perish: Ivanti emergency”, “Cybersecurity’s race against time”

,