Sleeper Shells: Attackers Are Planting Dormant Backdoors in Ivanti EPMM
3 months ago
- #ivanti-epmm
- #cybersecurity
- #initial-access-brokers
- Exploitation of Ivanti EPMM vulnerabilities (CVE-2026-1281 and CVE-2026-1340) has been ongoing since disclosure.
- A coordinated campaign deployed dormant in-memory Java class loaders to `/mifs/403.jsp`, a less common webshell path.
- The implant requires a specific trigger parameter (`k0f53cf964d387`) to activate, suggesting initial access broker (IAB) tradecraft.
- The payload (`base.Info`) is a stage loader designed to load and execute a second Java class delivered later via HTTP.
- No follow-on exploitation was observed, indicating the operator may be preparing access for sale or handoff.
- Host fingerprinting includes gathering environment details like working directory, OS name, and username.
- Detection is challenging due to the payload's in-memory nature and lack of immediate post-exploitation activity.
- Immediate actions include patching Ivanti EPMM, restarting servers to flush in-memory implants, and reviewing access logs.
- Indicators of compromise (IOCs) include requests to `/mifs/403.jsp`, specific Base64 parameters, and response markers.
- The campaign highlights the danger of quiet intrusions that create inventory for future exploitation.