A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), with threat actors quietly deploying dormant, in-memory backdoors since 4 February 2026, likely acting as Initial Access Brokers preparing to sell access later. According to Defused, the operation focuses on two disclosed vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which enable authentication bypass and remote code execution, but the attackers are currently not carrying out immediate theft or encryption.
Instead, they upload a dormant in-memory Java class loader at the path /mifs/403[.]jsp and then go dark, leaving the implant in memory and difficult to detect with standard monitoring. The report notes that no commands were executed and that the payload is activated only by a specific trigger parameter, with certain log tells including requests to /mifs/403[.]jsp and large Base64 parameters starting with yv66vg, along with a parameter name k0f53cf964d387.
Patching alone may not remove the backdoor due to its memory-resident nature, so restarting affected application servers to flush the in-memory implant is advised.