Analysis: Sophisticated Backdoor Campaign Targets Ivanti EPMM Using Dormant Shells
By
waihtis
A five-star bake. Worth schmearing, sharing, saving.
Summary
A February 2026 cybersecurity campaign targeted Ivanti Endpoint Manager Mobile (EPMM) systems with sophisticated backdoor techniques. Instead of traditional smash-and-grab attacks, attackers used internal JSP paths and in-memory Java class loaders to plant dormant, persistent backdoors that remain inactive until triggered. This stealthy approach allows attackers to maintain long-term access to compromised systems across government and enterprise deployments without immediate detection.
Key quotes
· 4 pulledRather than the smash-and-grab post-exploitation you'd expect - dropping traditional webshells, running recon and enumeration commands - this operator did something more deliberate
this campaign used a internal JSP path and in-memory Java class loaders to quietly seed persistent access across Ivanti EPMM deployments - then walked away
Exploitation of Ivanti Endpoint Manager Mobile (EPMM) has been relentless since vulnerability disclosure
Major institutions - governments included - have already been compromised through this vector
You might also wanna read
SymJack Attack Exploits AI Coding Agents for Supply Chain Compromise
This article describes a novel supply chain attack called 'SymJack' that targets AI coding agents. The attack exploits the trust and automat
briefly.co·4d ago
Microsoft uncovers supply chain attack: Compromised @antv npm packages steal CI/CD credentials via Mini Shai-Hulud malware
Microsoft has identified an active supply chain attack targeting the @antv npm package ecosystem. A threat actor compromised an @antv mainta
Nightmare-Eclipse: Rogue researcher releases six Windows zero-day exploits since April 2026
Nightmare-Eclipse is a rogue security researcher who has released six Microsoft Windows zero-day exploits (BlueHammer, RedSun, UnDefend, Yel
blog.barracuda.com·3d ago