A significant portion of recent exploitation attempts targeting recently disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) has been traced to a single IP address hosted on bulletproof infrastructure operated by PROSPERO, according to threat intelligence firm GreyNoise.
GreyNoise said it recorded 417 exploitation sessions from eight unique source IP addresses between February 1 and 9, 2026. Of those, 346 sessions (approx.83%) originated from the IP address 193.24.123[.]42.
The main target was CVE-2026-1281, a critical flaw in Ivanti EPMM that, together with CVE-2026-1340, can be exploited to achieve unauthenticated remote code execution. Ivanti disclosed late last month that a “very limited number of customers” were impacted following zero-day exploitation of the vulnerabilities.
Earlier this month, the EU, Dutch, Singapore authorities disclosed security breaches linked to Ivanti vulnerabilities. In case of Singapore, the attacks were attributed to a China-nexus cyberespionage group, tracked as UNC3886. The threat actor targeted all four of Singapore’s major telecommunications operators – M1, SIMBA Telecom, Singtel and StarHub. In one instance, the threat actor used a zero-day exploit to to access the victim’s network and steal a small amount of network-related data, likely to further its operation. In another intrusion, UNC3886 used advanced tools and techniques such as rootkits to maintain persistent access and stay hidden.
GreyNoise investigation found that the same IP address has simultaneously attempted to exploit three additional vulnerabilities in unrelated software products, including CVE-2026-21962 (Oracle WebLogic, 2,902 sessions), CVE-2026-24061 (GNU InetUtils telnetd, 497 sessions), CVE-2025-24799 (GLPI, 200 sessions).
GreyNoise noted that the IP cycles through more than 300 unique user-agent strings, mimicking Chrome, Firefox, Safari, and multiple operating system variants.
As for the the PROSPERO hosting provider, it is believed to be linked to another autonomous system, Proton66, which has previously been associated with the distribution of malware families such as GootLoader, Matanbuchus, SpyNote, Coper (also known as Octo), and SocGholish.
In addition, GreyNoise observed that 85% of the exploitation sessions used DNS beaconing to verify whether a target was vulnerable without deploying malware or exfiltrating data.
Earlier this week, cybersecurity firm Defused Cyber released a report detailing a “sleeper shell” campaign that deployed a dormant, in-memory Java class loader to compromised EPMM instances at the path “/mifs/403.jsp.”
“Rather than the smash-and-grab post-exploitation you’d expect - dropping traditional webshells, running recon and enumeration commands - this operator did something more deliberate, uploading a payload, confirming it landed, and leaving,” the company noted. “No commands were executed, the implant was simply left in place.”