A large majority of recent exploitation attempts targeting a critical Ivanti Endpoint Manager Mobile, EPMM, vulnerability have been linked to a single IP address operating from bulletproof hosting infrastructure associated with PROSPERO.
Threat intelligence company GreyNoise reported observing 417 exploitation sessions between February 1 and February 9, 2026, originating from eight distinct source IP addresses. Notably, 346 of those sessions, approximately 83 percent, were traced to the IP address 193.24.123[.]42.
Critical Ivanti Vulnerabilities Under Active Exploitation
The attacks are aimed at CVE-2026-1281, a high severity vulnerability with a CVSS score of 9.8. This flaw is one of two critical issues affecting Ivanti EPMM, alongside CVE-2026-1340. Both vulnerabilities can enable unauthenticated remote code execution, allowing attackers to gain full control of affected systems without valid credentials.
Ivanti previously confirmed that a limited number of customers were impacted through zero day exploitation of these vulnerabilities. Since then, several European institutions have disclosed that they were targeted. These include the Dutch Data Protection Authority, the Council for the Judiciary in the Netherlands, the European Commission, and Finland’s Valtori. The identity of the attackers remains unknown.
Evidence Points to Automated Exploitation Infrastructure
Further analysis revealed that the same IP address is simultaneously targeting multiple unrelated software platforms, suggesting the use of automated exploitation tools. GreyNoise identified the following additional vulnerabilities being exploited from the same host:
- CVE-2026-21962, Oracle WebLogic, 2,902 sessions
- CVE-2026-24061, GNU InetUtils telnetd, 497 sessions
- CVE-2025-24799, GLPI, 200 sessions
The attacking IP reportedly rotates through more than 300 unique user agent strings, covering various browsers such as Chrome, Firefox, and Safari, along with different operating system variants. This diversity in fingerprinting behavior strongly indicates automated scanning and exploitation frameworks rather than manual operations.
DNS Beaconing Suggests Reconnaissance Phase
GreyNoise further revealed that approximately 85 percent of exploitation attempts triggered DNS based callbacks. These out of band signals are typically used to confirm whether a target is vulnerable before deploying malicious payloads.
This pattern aligns with findings from Defused Cyber, which recently reported a sleeper shell campaign affecting Ivanti EPMM instances. The campaign deployed a dormant in memory Java class loader at the path /mifs/403.jsp on compromised systems.
Security researchers believe this activity reflects initial access broker tactics. In such operations, attackers establish persistent footholds inside networks and later sell or transfer access to other threat actors for financial gain.
Rather than immediately deploying malware, the attackers appear to be cataloging exploitable systems for future use. This staged approach significantly increases long term risk for affected organizations.
Links to Known Malware Infrastructure
PROSPERO infrastructure is believed to be connected to another autonomous system known as Proton66. Proton66 has previously been associated with the distribution of malware families including GootLoader, Matanbuchus, SpyNote, Coper, also known as Octo, and SocGholish.
The association raises further concerns regarding the potential scale and impact of the ongoing exploitation campaign.
Security Recommendations for Organizations
Security experts urge Ivanti EPMM users to take immediate action:
- Apply all available security patches without delay
- Conduct thorough audits of internet facing Mobile Device Management infrastructure
- Review DNS logs for OAST style callback patterns
- Monitor for suspicious access to the path /mifs/403.jsp
- Block PROSPERO autonomous system AS200593 at the network perimeter
Because EPMM provides centralized management of mobile devices across organizations, a successful compromise can serve as a powerful pivot point for lateral movement. Attackers gaining access to device management infrastructure can potentially bypass traditional network segmentation controls.
Security researchers warn that organizations operating internet exposed MDM platforms, VPN gateways, or remote access systems should assume that critical vulnerabilities will be targeted within hours of public disclosure.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
