A significant portion of exploitation attempts targeting newly revealed security flaws in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on the bulletproof hosting infrastructure provided by PROSPERO.
Threat intelligence firm GreyNoise announced that it recorded 417 exploit sessions from eight unique source IP addresses between February 1 and 9, 2026. An estimated 346 exploit sessions originated from 193.24.123.[.]42 cases, representing 83% of all attempts.
This malicious activity is designed to exploit one of the two critical security vulnerabilities in EPMM: CVE-2026-1281 (CVSS score: 9.8) and CVE-2026-1340, which can be exploited by attackers to achieve unauthenticated remote code execution. Late last month, Ivanti acknowledged that it was aware of a “very limited number of customers” who were affected by the zero-day exploit in question.
Since then, several European institutions, including the Dutch Data Protection Authority (AP) in the Netherlands, the Council of Justice, the European Commission, and Finland’s Valtri, have revealed that they were targeted by unknown attackers who exploited this vulnerability.
Further analysis revealed that the same host was simultaneously exploiting three other CVEs across unrelated software.
“IP rotates over 300 unique user agent strings across Chrome, Firefox, Safari, and multiple operating system variants,” GreyNoise said. “This fingerprint diversity, coupled with the simultaneous exploitation of four unrelated software products, is consistent with an automated tool.”
It is worth noting that PROSPERO is believed to be linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware such as GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise also noted that 85% of exploit sessions sent a beacon via Domain Name System (DNS) to confirm that “this target is exploitable” without deploying malware or exfiltrating data.
This disclosure comes days after Defused Cyber reported a “sleeper shell” campaign that deploys a dormant in-memory Java class loader on compromised EPMM instances located at the path “/mifs/403.jsp.” The cybersecurity firm said this activity is indicative of the modus operandi of an initial access broker, establishing a foothold for threat actors to later sell or transfer access for financial gain.
“The pattern is significant,” the magazine noted. “Aust” [out-of-band application security testing] The callback indicates that the campaign is cataloging vulnerable targets rather than immediately deploying the payload. This is consistent with early access operations that first verify exploitability and later introduce subsequent tools. ”
Ivanti EPMM users are encouraged to patch and audit their internet-facing mobile device management (MDM) infrastructure, review DNS logs for OAST pattern callbacks, monitor the /mifs/403.jsp path on EPMM instances, and block PROSPERO’s Autonomous System (AS200593) at the network perimeter level.
“A compromise of EPMM provides access to device management infrastructure across an organization, creating a lateral movement platform that bypasses traditional network segmentation,” GreyNoise said. “Organizations that deploy Internet-facing MDM, VPN concentrators, or other remote access infrastructure should operate under the assumption that critical vulnerabilities can be exploited within hours of disclosure.”
Source link
