A sophisticated new cyber campaign has been detected targeting Ivanti Endpoint Manager Mobile (EPMM) systems.
Starting on February 4, 2026, threat actors began exploiting two critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, to plant dormant backdoors.
Unlike typical attacks that immediately steal data or deploy ransomware, this campaign focuses on silence and persistence.
Stealth Backdoors
The attackers are not using a “smash-and-grab” approach. Instead, they are deploying a stealthy implant located at a specific web path: /mifs/403.jsp.
Once installed, this malicious code does not execute commands or run reconnaissance. It simply waits.
This behavior strongly suggests the work of Initial Access Brokers (IABs). These criminals break into networks not to exploit them immediately.
However, to create an “inventory” of compromised servers, they can later sell them to other threat actors.
The malware, identified as a Java class named base.Info, is designed to evade detection. Its most dangerous feature is that it operates entirely in the server’s memory.
The payload never writes a file to the hard disk (other than the initial loader), meaning traditional antivirus software scanning the file system is likely to miss it.
Defused Cyber reported that the implant functions as a “stage loader.” It is useless on its own and requires a specific trigger to work.
The backdoor listens for an HTTP request containing the specific parameter k0f53cf964d387. Only when this “key” is received will the malware decode a payload and execute it.
Furthermore, the code uses unusual entry points (the equals(Object) method) rather than standard web commands, which helps it bypass standard security logging tools.
Before going dormant, the malware briefly checks the operating system and user details to “fingerprint” the victim, ensuring the access is valid for future sale.
Recommendations and Mitigations
Because this attack is designed to be invisible, the absence of active alerts does not mean your system is safe.
If you run Ivanti EPMM, you must assume the silence is a threat.
- Check Logs: Look for any requests to /mifs/403.jsp or large Base64-encoded strings beginning with yv66vg (the code for Java magic bytes).
- Restart Servers: Because the malware lives in memory, patching alone is not enough. You must restart the affected application servers to flush the malicious code from RAM.
- Patch Immediately: Apply the vendor patches for the disclosed CVEs to close the front door.
This campaign serves as a reminder that the most dangerous intrusions are often the ones that do nothing, yet.
The attackers have established a foothold and are patiently waiting for a buyer; defenders must not give them that time.
Indicators of Compromise
Artifact
| Field | Value |
|---|---|
| Class Name | base.Info |
| Source File | Info.java |
| SHA-256 | 097b051c9c9138ada0d2a9fb4dfe463d358299d4bd0e81a1db2f69f32578747a |
Network IOCs – Source IPs
| IP Address | Organization | ASN | Country |
|---|---|---|---|
| 104.219.171.96 | Datacamp Limited | AS212238 | |
| 108.64.229.100 | AT&T Enterprises, LLC | AS7018 | |
| 115.167.65.16 | NTT America, Inc. | AS2914 | |
| 138.36.92.162 | HOSTINGFOREX S.A. | AS265645 | |
| 146.103.53.35 | Datacamp Limited | AS212238 | |
| 148.135.183.63 | Datacamp Limited | AS212238 | |
| 151.247.221.59 | Datacamp Limited | AS212238 | |
| 166.0.83.171 | UK Dedicated Servers Limited | AS42831 | |
| 172.59.92.152 | T-Mobile USA, Inc. | AS21928 | |
| 185.240.120.91 | Datacamp Limited | AS212238 | |
| 185.239.140.40 | Datacamp Limited | AS212238 | |
| 194.35.226.128 | LeaseWeb Netherlands B.V. | AS60781 | |
| 193.41.68.58 | LeaseWeb Netherlands B.V. | AS60781 | |
| 77.78.79.243 | SPCom s.r.o. | AS204383 | |
| 62.84.168.208 | Hydra Communications Ltd | AS25369 | |
| 45.66.95.235 | Hydra Communications Ltd | AS25369 | |
| 46.34.44.66 | Liberty Global Europe Holding B.V. | AS6830 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
