Sleeper Shells: The Patient Art of Initial Access Brokering
A new Ivanti EPMM exploitation campaign plants dormant backdoors and walks away—the hallmark of professional initial access brokers
The loud compromises get the headlines: ransomware detonations, mass data exfiltration, lateral movement storms that light up every detection rule. But the most dangerous intrusions are often the ones that don’t do anything. Yet.
A coordinated campaign targeting Ivanti Endpoint Manager Mobile (EPMM) that began February 4th, 2026, demonstrates exactly this pattern. Attackers exploited CVE-2026-1281 and CVE-2026-1340 to deploy payloads—then simply left.
The Core Insight
This isn’t your typical smash-and-grab exploitation. Rather than dropping traditional webshells and running reconnaissance commands, these operators did something more deliberate:
- Upload a payload to
/mifs/403.jsp - Confirm it landed
- Leave
No commands executed. No data exfiltrated. The implant sits dormant, waiting.
This is textbook initial access broker (IAB) tradecraft: gain a foothold, verify it works, then sell or hand off access later. The tooling is generic and container-agnostic—built to work reliably across environments, not to perform any specific post-exploitation task.
Why This Matters
The Implant Architecture:
The payload isn’t a traditional webshell—it’s an in-memory Java class loader named base.Info. Its design is ingenious:
- Uses
equals(Object)as its entry point instead of standard servlet handlers likedoGetordoPost—less likely to trigger security tooling - Requires a specific HTTP parameter (
k0f53cf964d387) to activate - Loads second-stage classes entirely in memory via reflective
ClassLoader#defineClass—nothing touches disk - Supports both
java.util.Base64andsun.misc.BASE64Decoderfor JVM compatibility - Returns responses wrapped in fixed delimiters for automated parsing
The Detection Gap:
Here’s the problem for defenders: there’s a gap between initial compromise and eventual use where the telemetry trail goes quiet. One actor establishes access, another exploits it later from different infrastructure. Traditional IOC-based detection may miss this entirely.
The class was submitted to VirusTotal and received only one hit—from Nextron Systems’ THOR APT Scanner under a generic JSP webshell characteristics rule. Traditional AV largely misses it because the payload never touches disk.
Key Takeaways
Patch immediately: If you’re running Ivanti EPMM, apply vendor patches now. CVE-2026-1281 and CVE-2026-1340 provide unauthenticated RCE.
Restart your servers: This is critical. The in-memory implant survives indefinitely until the JVM process restarts. Restarting flushes the implant.
Hunt for these indicators:
- Requests to
/mifs/403.jsp - Large Base64 parameters beginning with
yv66vg(CAFEBABE magic bytes) - The parameter name
k0f53cf964d387 Response bodies containing
3cd3dore60537markersAbsence of evidence isn’t evidence of absence: No follow-on exploitation doesn’t mean you’re safe. It may simply mean the access hasn’t been activated—or sold—yet.
Looking Ahead
The IAB economy is thriving. Groups establish access at scale, verify it works, package it, and sell to operators who specialize in exploitation—ransomware groups, espionage actors, or whoever’s buying. This separation of concerns makes the threat landscape more dangerous and harder to defend against.
For enterprise mobility infrastructure specifically, this campaign signals that attackers view MDM platforms as high-value targets. Access to EPMM means potential access to managed device configurations, corporate policies, and the broader enterprise network.
The loader is patient. Defenders shouldn’t be. Patch, restart, and hunt proactively. The quiet compromises are the ones that should worry you most.
Based on analysis of Sleeper Shells: How Attackers Are Planting Dormant Backdoors in Ivanti EPMM – Defused Cyber