Sleeper Shells: Attackers Are Planting Dormant Backdoors in Ivanti EPMM

Recent exploitation of Ivanti Endpoint Manager Mobile (EPMM) has revealed a concerning new trend: a coordinated campaign deploying 'sleeper shells' rather than immediate, destructive payloads. Leveraging critical vulnerabilities (CVE-2026-1281 and CVE-2026-1340), attackers are gaining initial access with a distinct, patient strategy.

• Attackers are exploiting authentication bypass and remote code execution vulnerabilities in Ivanti EPMM to gain unauthenticated access.
• Unlike typical 'smash-and-grab' post-exploitation, this campaign installs a dormant, in-memory Java class loader to a specific path (/mifs/403.jsp).
• This loader, which never touches disk, is a 'stage loader' designed to receive and execute a second Java class only when a specific HTTP parameter is triggered later.
• The operators deploy these loaders, verify they are functional, and then leave them inactive, a tactic strongly suggestive of Initial Access Broker (IAB) activity where access is established and later sold or handed off.
• This separation of initial access from follow-on exploitation makes detection challenging, as there's a quiet period with no immediate malicious activity.
• The article provides detailed indicators of compromise (IOCs), including specific request paths, parameter names, response markers, and network source IPs, to help defenders identify compromise.
• Crucial advice for Ivanti EPMM users includes immediate patching, restarting affected servers to flush in-memory implants, and proactive hunting for the provided indicators.

This shift towards patient, multi-stage attacks underscores the evolving sophistication of threat actors. The 'sleeper shell' approach highlights the need for vigilance even when no immediate impact is observed, as established access can remain dormant, awaiting activation by a different party at a later date.