A major chunk of the exploitation makes an attempt focusing on a newly disclosed safety flaw in Ivanti Endpoint Supervisor Cell (EPMM) may be traced again to a single IP tackle on bulletproof internet hosting infrastructure supplied by PROSPERO.
Menace intelligence agency GreyNoise stated it recorded 417 exploitation classes from 8 distinctive supply IP addresses between February 1 and 9, 2026. An estimated 346 exploitation classes have originated from 193.24.123[.]42, accounting for 83% of all makes an attempt.
The malicious exercise is designed to take advantage of CVE-2026-1281 (CVSS scores: 9.8), one of many two essential safety vulnerabilities in EPMM, together with CVE-2026-1340 that could possibly be exploited by an attacker to attain unauthenticated distant code execution. Late final month, Ivanti acknowledged it is conscious of a “very restricted variety of prospects” who had been impacted following the zero-day exploitation of the problems.
Since then, a number of European companies, together with the Netherlands’ Dutch Knowledge Safety Authority (AP), Council for the Judiciary, the European Fee, and Finland’s Valtori, have disclosed that they had been focused by unknown menace actors utilizing the vulnerabilities.
Additional evaluation has revealed that the identical host has been concurrently exploiting three different CVEs throughout unrelated software program –
“The IP rotates by means of 300+ distinctive consumer agent strings spanning Chrome, Firefox, Safari, and a number of working system variants,” GreyNoise stated. “This fingerprint variety, mixed with concurrent exploitation of 4 unrelated software program merchandise, is in line with automated tooling.”
It is value noting that PROSPERO is assessed to be linked to a different autonomous system known as Proton66, which has a historical past of distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish.
GreyNoise additionally identified that 85% of the exploitation classes beaconed house by way of the area identify system (DNS) to substantiate “this goal is exploitable” with out deploying any malware or exfiltrating knowledge.
The disclosure comes days after Defused Cyber reported a “sleeper shell” marketing campaign that deployed a dormant in-memory Java class loader to compromised EPMM cases on the path “/mifs/403.jsp.” The cybersecurity firm stated the exercise is indicative of preliminary entry dealer tradecraft, the place menace actors set up a foothold to promote or hand off entry later for monetary achieve.
“That sample is critical,” it famous. “OAST [out-of-band application security testing] callbacks point out the marketing campaign is cataloging which targets are weak quite than deploying payloads instantly. That is in line with preliminary entry operations that confirm exploitability first and deploy follow-on tooling later.”
Ivanti EPMM customers are beneficial to use the patches, audit internet-facing Cell Machine Administration (MDM) infrastructure, overview DNS logs for OAST-pattern callbacks, and monitor for the /mifs/403.jsp path on EPMM cases, and block PROSPERO’s autonomous system (AS200593) on the community perimeter stage.
“EPMM compromise gives entry to system administration infrastructure for whole organizations, making a lateral motion platform that bypasses conventional community segmentation,” GreyNoise stated. “Organizations with internet-facing MDM, VPN concentrators, or different distant entry infrastructure ought to function beneath the belief that essential vulnerabilities face exploitation inside hours of disclosure.”
