Sleeping with the Enemy: Dormant Backdoors Found in Ivanti EPMM

A stealthy new cyber espionage campaign is targeting Ivanti Endpoint Manager Mobile (EPMM), but unlike typical ransomware gangs that smash and grab, these attackers are planting seeds and walking away. A new report from Defused reveals that since February 4, 2026, threat actors have been quietly deploying dormant, in-memory backdoors into vulnerable systems, likely acting as “Initial Access Brokers” (IABs) preparing to sell the keys to the kingdom.

The campaign targets two critical vulnerabilities disclosed earlier this year—CVE-2026-1281 and CVE-2026-1340—which allow for authentication bypass and remote code execution. But while the door is open, the intruders aren’t looting the house just yet.

The most alarming aspect of this campaign is its discipline. Instead of launching immediate encryption or data exfiltration, the operators are uploading a “dormant in-memory Java class loader” and then going dark.

“Rather than the smash-and-grab post-exploitation you’d expect… this operator did something more deliberate, uploading a payload, confirming it landed, and leaving,” the report explains.

The malware is hidden at a specific path, /mifs/403.jsp, and does absolutely nothing until it receives a specific “trigger parameter.” This makes it incredibly difficult for security teams to detect using standard monitoring tools, which usually look for active command execution or massive data outflows.

“No commands were executed, the implant was simply left in place,” Defused notes.

The researchers believe this is a classic “Initial Access Broker” operation. The goal isn’t to hack the target now, but to secure a foothold that can be sold to a ransomware group or state-sponsored actor later.

“The likely purpose is to package confirmed, working access for handoff or sale to a separate party, who would activate it from different infrastructure at a later time,” the report states.

If you are looking for an active attack, you will miss the setup. As the report warns: “That separation – one actor establishes access, another exploits it – is what makes this pattern difficult to detect in practice”.

Because the implant resides only in memory (RAM) and never touches the hard drive, it leaves very few forensic traces. However, Defused has identified specific “tells” in the server logs that administrators can hunt for:

• Requests to /mifs/403.jsp.
• Large Base64 parameters starting with yv66vg (the magic bytes for a Java class).
• The specific parameter name k0f53cf964d387.
• Response bodies containing ERROR:// or the markers 3cd3d / e60537.

Patching alone is not enough. Because the malware lives in memory, applying the vendor patch prevents new infections but may not remove the existing backdoor.

“Restart affected application servers to flush in-memory implants – this is critical, as the payload never touches disk,” the advisory urges.

Security teams are advised to treat any sign of this activity as a confirmed compromise. As Defused puts it: “The absence of further activity doesn’t mean the access isn’t valuable; it may simply mean it hasn’t been activated yet”.

Related Posts:

• Exploited in the Wild: Critical Ivanti EPMM RCE Flaws (CVSS 9.8) Under Attack
• FunkSec Ransomware Decryptor Released Free: Victims Can Now Recover Files After Group Goes Dormant
• Ivanti EPMM Under Attack: Zero-Day RCE Exploited by China-Linked Group UNC5221
• CISA Warns of Malicious Listener Malware Exploiting Ivanti Endpoint Manager Mobile