Analysis: Sophisticated Backdoor Campaign Targets Ivanti EPMM Using Dormant Shells
A February 2026 campaign used a internal JSP path and in-memory Java class loaders to quietly seed persistent access across Ivanti EPMM deployments - then walked away. We break down the tradecraft.
Read the full articleYou might also wanna read

WAF - WAF Release - 2026-03-12 - Emergency
This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), along
Ivanti discloses two critical vulnerabilities in Sentry mobile gateway, including max-severity unauthenticated RCE flaw
Remote, unauthenticated RCE with root privileges is about as bad as it gets
CVE-2026-14903: CWE-23 Relative path traversal in ivanti Xtraction
CVE-2026-14903 is a path traversal vulnerability in Ivanti Xtraction before version 2026.2.1 that allows a remote authenticated attacker to
MLTBackdoor: New Ransomware-Linked Backdoor Evades Detection via Microsoft Defender DLL Sideloading
MLTBackdoor Unmasked: Inside the Stealthy Ransomware-Linked Backdoor That Sideloads via Microsoft Defender + Video - "Undercode Testing": Mo
undercodetesting.com·1mo agoMistic Backdoor and ModeloRAT Deployed in Financially Motivated Attacks Linked to KongTuke
Mistic is a stealthy in-memory backdoor tied to KongTuke, delivered via ClickFix campaigns, using DLL side-loading and DNS staging for low-v
Ivanti Sentry Pre-Auth OS Command Injection (CVE-2026-10520) Allows Root-Level Remote Code Execution
Today, Ivanti published an advisory. “No way?” we hear you say. "Yes way!" Today’s advisory outlines two vulnerabilities in Ivanti’s Sentry
labs.watchtowr.com·27d ago
Comments
Sign in to join the conversation.
No comments yet. Be the first.