A majority of exploitation attempts targeting recently disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) are originating from a single IP address hosted on bulletproof infrastructure, according to threat intelligence firm GreyNoise. The firm identified 193.24.123[.]42 as the source of approximately 83% – 346 out of 417 – of exploitation sessions recorded between February 1st and 9th, 2026.
The malicious activity centers around exploiting CVE-2026-1281 and CVE-2026-1340, critical security flaws in EPMM that could allow attackers to achieve unauthenticated remote code execution. Ivanti acknowledged late last month that a “very limited number of customers” had been impacted by zero-day exploitation of these vulnerabilities.
Several European agencies have since confirmed they were targeted. These include the Netherlands’ Dutch Data Protection Authority (AP), the Council for the Judiciary, the European Commission, and Finland’s Valtori.
GreyNoise’s analysis indicates the single IP address is not solely focused on the Ivanti vulnerabilities. It’s simultaneously exploiting four unrelated Common Vulnerabilities and Exposures (CVEs) across different software products. The IP address also cycles through over 300 unique user agent strings, mimicking Chrome, Firefox, Safari, and various operating systems. This diversity suggests the use of automated tooling, according to GreyNoise.
The bulletproof hosting provider associated with the IP address is PROSPERO, which is linked to the autonomous system Proton66. Proton66 has a documented history of distributing malware, including GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish.
Notably, 85% of the observed exploitation sessions utilized the Domain Name System (DNS) to confirm target vulnerability without deploying malware or exfiltrating data. This “beaconing” behavior suggests attackers are initially verifying exploitability before proceeding with further actions.
The findings align with a recent report from Defused Cyber, which identified a “sleeper shell” campaign deploying a dormant Java class loader to compromised EPMM instances at the path “/mifs/403.jsp.” Defused Cyber characterized this activity as indicative of initial access broker tactics, where attackers establish a foothold for later sale or use. The firm noted that Out-of-Band Application Security Testing (OAST) callbacks suggest the campaign is cataloging vulnerable targets rather than immediately deploying payloads.
Ivanti EPMM users are advised to apply available patches, audit internet-facing Mobile Device Management (MDM) infrastructure, review DNS logs for OAST-pattern callbacks, and monitor EPMM instances for the presence of the “/mifs/403.jsp” path. Blocking PROSPERO’s autonomous system (AS200593) at the network perimeter is also recommended. GreyNoise emphasized that compromising EPMM provides access to an organization’s device management infrastructure, creating a platform for lateral movement that can bypass traditional network segmentation. Organizations with internet-facing MDM, VPN concentrators, or other remote access infrastructure should assume critical vulnerabilities are being actively exploited shortly after disclosure.
