TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GreyNoise

Active Ivanti Exploitation Traced to Single Bulletproof IP—Published IOC Lists Point Elsewhere

2026-02-10 · Read original ↗

ATT&CK techniques detected

9 predictions
T1190Exploit Public-Facing Application
84%
"##s - single dominant source. 83 % of observed exploitation comes from one ip on bulletproof hosting ( prospero ooo, as200593 ). this ip is not on widely published ioc lists, meaning defenders blocking only published indicators are likely missing the dominant exploitation source.…"
T1190Exploit Public-Facing Application
77%
"feasible, restrict access to known network ranges or require vpn authentication before reaching the epmm interface. view real - time exploitation data : ivanti endpoint manager mobile code injection cve - 2026 - 1281 rce attempt full fingerprint analysis and session - level explo…"
T1190Exploit Public-Facing Application
75%
". for additional context : trustwave spiderlabs has previously documented connections between prospero and the proton66 network ( as198953 ), linking both to bulletproof hosting services marketed on russian - language cybercrime forums under the bearhost brand. that network has b…"
T1190Exploit Public-Facing Application
73%
"unique, high - entropy subdomains resolving to known oast interaction infrastructure. these indicate that exploitation payloads executed on your systems. - monitor for the / mifs / 403. jsp path on epmm instances. this is the sleeper shell location identified by defused cyber. it…"
T1190Exploit Public-Facing Application
63%
"active ivanti exploitation traced to single bulletproof ip — published ioc lists point elsewhere the greynoise global observation grid observed active exploitation of two critical ivanti endpoint manager mobile vulnerabilities, and 83 % of that exploitation traces to a single ip …"
T1190Exploit Public-Facing Application
62%
"( rvdr ) had been compromised via ivanti epmm. by january 30, watchtowr labs had published a full technical analysis, and proof - of - concept code appeared on github shortly after. nhs england, cert - eu, and ncsc - nl also issued advisories confirming active exploitation. vendo…"
T1588.006Vulnerabilities
47%
"location. greynoise is not attributing this activity to a specific threat actor. the dominant source : prospero ooo one ip generated 346 of 417 observed exploitation sessions. 193 [. ] 24 [. ] 123 [. ] 42, registered to prospero ooo ( as200593 ) and geolocating to saint petersbur…"
T1190Exploit Public-Facing Application
40%
", 85 % of payloads do one thing : phone home via dns to confirm " this target is exploitable. " they do not deploy malware. they do not exfiltrate data. they verify access. that pattern is significant. oast callbacks indicate the campaign is cataloging which targets are vulnerabl…"
T1588.006Vulnerabilities
30%
"##s - single dominant source. 83 % of observed exploitation comes from one ip on bulletproof hosting ( prospero ooo, as200593 ). this ip is not on widely published ioc lists, meaning defenders blocking only published indicators are likely missing the dominant exploitation source.…"

Summary

The GreyNoise Global Observation Grid observed active exploitation of two critical Ivanti Endpoint Manager Mobile vulnerabilities, and 83% of that exploitation traces to a single IP address on bulletproof hosting infrastructure that does not appear on widely circulated IOC lists.