Hackers are actively exploiting Ivanti Endpoint Manager Mobile (EPMM) appliances to plant “dormant” backdoors that can sit unused for days or weeks.
Ivanti recently disclosed two critical EPMM flaws, CVE-2026-1281 and CVE-2026-1340, spanning authentication bypass and remote code execution in different packages (aftstore and appstore).
While the packages differ, defenders face the same practical impact: unauthenticated access to application-level endpoints. Ivanti has published mitigation and patching guidance in its security advisory, but exploitation in the wild followed shortly after disclosure.
Across observed intrusions by Defusedcyber tied to this latest wave, successful exploitation consistently resulted in a dropped artifact at the path /mifs/403.jsp. The filename and location are not new in Ivanti/MobileIron targeting; what’s different is the payload’s purpose.
Instead of deploying an interactive webshell capable of command execution, the attackers delivered a Base64-encoded Java class file via HTTP parameters. Each decoded payload contained valid Java bytecode (the CAFEBABE class header), functioning as a dormant in-memory class loader rather than an immediately usable backdoor.
This distinction matters operationally: traditional webshell hunting often keys on follow-on commands and filesystem artifacts. Here, the attacker’s workflow prioritized “land and confirm,” not “land and operate.”
The implanted class has been observed as base.Info (compiled from Info.java). It does not expose file browsing, command execution, or a typical operator console. Instead, it waits for a later “activation” request that delivers a second Java class, which the loader then runs directly in memory.
Notably, the loader uses equals(Object) as an entry point rather than standard servlet methods like doGet or doPost, a choice that can reduce friction with simplistic detections.
It extracts HttpServletRequest and HttpServletResponse from the supplied object (with fallbacks for PageContext and servlet wrapper/facade patterns), increasing portability across Java web container implementations.
When triggered, the loader checks for an HTTP parameter named k0f53cf964d387. If present, it strips a two-character prefix, Base64-decodes the remaining value into raw bytes, and reflectively calls ClassLoader#defineClass to load the second-stage class without writing to disk.
The loader instantiates the resulting class with basic host context and returns the class’s toString() output to the requester, wrapped in fixed delimiters (3cd3d and e60537) and served as text/html—a format that is easy for automated tooling to parse. For Base64 decoding, it supports both java.util.Base64 (Java 8+) and sun.misc.BASE64Decoder for older JVMs.
Before handing off control, the loader fingerprints the host (for example, user.dir, filesystem roots, OS name, and username) and passes that data to the second-stage class likely to help an operator quickly orient on a target later.
Across all observed cases by Defusedcyber, the loader was deployed and verified, but did not observe follow-on requests supplying a second-stage class. That “implant now, operate later” pattern aligns with initial access broker behavior, where one actor establishes dependable access at scale and another actor later monetizes or weaponizes it from a different infrastructure.
Shadowserver observed that attackers deploy a webshell on Ivanti EPMM devices, possibly exploiting CVE-2026-1281 Vulnerability. According to the scans, 56 IPs were found compromised.
Defenders should treat any evidence of this activity as a compromise or attempted compromise, especially if there is no immediate post-exploitation.
- Patch EPMM immediately per Ivanti guidance, then restart affected application servers to flush in-memory implants (critical because the loader never needs to touch disk)
- Review logs for requests to
/mifs/403.jsp, especially with the parameterk0f53cf964d387(example pattern:GET /mifs/403.jsp?...k0f53cf964d387=<2 chars><base64>) - Hunt for responses containing the delimiter pair
3cd3dande60537 - Treat detections as time-sensitive, even if the environment appears “stable”; the access may simply be unactivated
Indicators of Compromise
Artifact Details
| Field | Value |
|---|---|
| Class Name | base[.]Info |
| Source File | Info[.]java |
| SHA-256 | 097b051c9c9138ada0d2a9fb4dfe463d358299d4bd0e81a1db2f69f32578747a |
Network IOCs – Source IP Addresses
| IP Address | Organization | ASN |
|---|---|---|
| 104.219.171[.]96 | Datacamp Limited | AS212238 |
| 108.64.229[.]100 | AT&T Enterprises, LLC | AS7018 |
| 115.167.65[.]16 | NTT America, Inc. | AS2914 |
| 138.36.92[.]162 | HOSTINGFOREX S.A. | AS265645 |
| 146.103.53[.]35 | Datacamp Limited | AS212238 |
| 148.135.183[.]63 | Datacamp Limited | AS212238 |
| 151.247.221[.]59 | Datacamp Limited | AS212238 |
| 166.0.83[.]171 | UK Dedicated Servers Limited | AS42831 |
| 172.59.92[.]152 | T-Mobile USA, Inc. | AS21928 |
| 185.240.120[.]91 | Datacamp Limited | AS212238 |
| 185.239.140[.]40 | Datacamp Limited | AS212238 |
| 194.35.226[.]128 | LeaseWeb Netherlands B.V. | AS60781 |
| 193.41.68[.]58 | LeaseWeb Netherlands B.V. | AS60781 |
| 77.78.79[.]243 | SPCom s.r.o. | AS204383 |
| 62.84.168[.]208 | Hydra Communications Ltd | AS25369 |
| 45.66.95[.]235 | Hydra Communications Ltd | AS25369 |
| 46.34.44[.]66 | Liberty Global Europe Holding B.V. | AS6830 |
Detection Patterns
| Indicator Type | Pattern |
|---|---|
| File Path | /mifs/403[.]jsp |
| HTTP Parameter | k0f53cf964d387 |
| Response Delimiters | 3cd3d and e60537 |
| Request Pattern | GET /mifs/403.jsp?...k0f53cf964d387=<2 chars><base64> |
| Java Class Header | CAFEBABE (in Base64-decoded payload) |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Hackers Exploiting Ivanti EPMM Devices to Deploy Dormant Backdoors appeared first on Cyber Security News.
