One IP address on PROSPERO's bulletproof hosting infrastructure is responsible for a sizable portion of the exploitation attempts that target a recently revealed security flaw in Ivanti Endpoint Manager Mobile (EPMM) This article explores security flaws epmm. . Between February 1 and February 9, 2026, 417 exploitation sessions from 8 distinct source IP addresses were recorded, according to threat intelligence firm GreyNoise.

An estimated 346 exploitation sessions, or 83% of all attempts, have started from 193.24.123[.]42. One of the two critical security flaws in EPMM, CVE-2026-1281 (CVSS scores: 9.8), and CVE-2026-1340, which an attacker could use to accomplish unauthenticated remote code execution, are the targets of the malicious activity.

Ivanti admitted late last month that it knew of a "very limited number of customers" who were affected after the zero-day exploit of the vulnerabilities. Since then, several European agencies have revealed that they were the target of unknown threat actors who exploited the vulnerabilities, including the European Commission, the Council for the Judiciary, the Netherlands' Dutch Data Protection Authority (AP), and Finland's Valtori. Subsequent investigation has shown that the same host has been concurrently exploiting three additional CVEs in unrelated software: CVE-2026-21962 (Oracle WebLogic) - 2,902 sessions; CVE-2026-24061 (GNU InetUtils telnetd) - 497 sessions; and CVE-2025-24799 (GLPI) - 200 sessions.

According to GreyNoise, "the IP rotates through 300+ unique user agent strings spanning Chrome, Firefox, Safari, and multiple operating system variants."

"This diversity of fingerprints is consistent with automated tooling, as is the simultaneous exploitation of four unrelated software products." It's important to note that PROSPERO is thought to be connected to Proton66, another autonomous system that has a track record of disseminating malware for Android and desktop platforms, including GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish. In order to verify that "this target is exploitable," 85% of the exploitation sessions used the domain name system (DNS) to beacon home without installing any malware or stealing any data, according to GreyNoise.

The revelation follows Defused Cyber's report of a "sleeper shell" campaign that infiltrated compromised EPMM instances at the path "/mifs/403.jsp" by deploying a dormant in-memory Java class loader. The activity, according to the cybersecurity firm, is typical of initial access broker tradecraft, in which threat actors gain a foothold before selling or transferring access later for a profit. It said, "That pattern is significant."

"Instead of immediately deploying payloads, OAST [out-of-band application security testing] callbacks show that the campaign is cataloguing which targets are vulnerable.

This is in line with initial access operations, which deploy follow-on tools after confirming exploitability.Applying the patches, auditing internet-facing Mobile Device Management (MDM) infrastructure, checking DNS logs for OAST-pattern callbacks, keeping an eye out for the /mifs/403.jsp path on EPMM instances, and blocking PROSPERO's autonomous system (AS200593) at the network perimeter level are all advised for Ivanti EPMM users. "According to GreyNoise, the EPMM compromise creates a lateral movement platform that circumvents conventional network segmentation by giving entire organizations access to device management infrastructure. "Businesses that use VPN concentrators, internet-facing MDM, or other remote access tools should function with the mindset that serious flaws can be exploited within hours of being discovered.