GreyNoise discovered 83% of Ivanti EPMM exploitation attempts trace to a single IP address (193.24.123[.]42) on bulletproof hosting infrastructure—yet this dominant attack source appears on zero published indicator-of-compromise lists defenders rely upon. SmarterTools suffered ransomware breach through an unpatched virtual machine running its own SmarterMail product exploiting CVE-2026-23760, enabling Warlock ransomware operators to compromise 12 Windows servers. Google Threat Intelligence Group disclosed state-sponsored attackers from China, Iran, North Korea, and Russia actively abuse Gemini AI across all attack stages including reconnaissance, phishing, vulnerability research, and malware development.
These incidents reveal converging enterprise threats where traditional defensive indicators fail, software vendors fall victim to their own products, and adversarial AI moves from theoretical to operationally deployed. Between February 1-9, 2026, GreyNoise recorded 417 Ivanti CVE-2026-1281 exploitation sessions with 346 originating from PROSPERO OOO (AS200593) in St. Petersburg—yet widely circulated IOCs point to Windscribe VPN exits conducting Oracle WebLogic scanning with zero Ivanti activity. SmarterTools missed updating one forgotten VM among 30 servers, enabling 6-7 day delayed ransomware deployment typical of initial access broker tradecraft. Google identified APT31, APT42, Temp.HEX, and UNC2970 leveraging Gemini for automated vulnerability analysis, phishing lure generation, code debugging, and post-compromise evasion research.
This analysis examines verified technical details through vendor advisories, threat intelligence platforms, and security research publications. You'll understand attack mechanics across enterprise mobility management, email infrastructure, and AI-assisted operations while implementing evidence-based defensive controls.
Ivanti EPMM: The Bulletproof Hosting Disconnect
The 83% Concentration Nobody's Blocking
GreyNoise Global Observation Grid detected active exploitation of CVE-2026-1281 and CVE-2026-1340—critical code injection vulnerabilities in Ivanti Endpoint Manager Mobile enabling unauthenticated remote code execution (CVSS 9.8). Between February 1-9, 2026, sensors recorded 417 exploitation sessions from eight unique source IPs. One IP generated 346 sessions accounting for 83% of all observed exploitation: 193.24.123[.]42 registered to PROSPERO OOO (AS200593), a bulletproof hosting provider carrying Censys "BULLETPROOF" designation.
The concentration reveals asymmetric defender advantage: blocking a single autonomous system eliminates 83% of observed exploitation. However, this dominant source appears on zero widely circulated indicator-of-compromise lists. Security teams implementing published IOCs protect against wrong threats while missing the infrastructure actually conducting mass exploitation campaigns.
Important: Published IOCs point to Windscribe VPN exit nodes in a /24 subnet that generated 29,588 sessions over 30 days—99% targeting Oracle WebLogic on port 7001 with zero Ivanti EPMM exploitation sessions. Defenders blocking only published indicators watch the wrong door while attackers walk through unmonitored entrances.
Sleeper Shell Infrastructure and Initial Access Broker Tradecraft
Defused Cyber identified "sleeper shell" campaign deploying dormant in-memory Java class loaders to compromised EPMM instances at path /mifs/403.jsp. The malware exhibits sophisticated dormancy requiring specific HTTP trigger parameter (k0f53cf964d387) before activating. Standard antivirus tools miss the threat because the class loader resides in server memory avoiding filesystem artifacts where traditional scanning operates.
Analysis reveals 85% of exploitation payloads use Out-of-Band Application Security Testing (OAST) DNS callbacks verifying command execution rather than deploying immediate follow-on payloads. This cataloging approach indicates initial access broker operations verifying exploitability first, selling access later for financial gain rather than direct monetization through data theft or ransomware deployment.
Exploitation Timeline Analysis
| Date | Sessions | Pattern | Operational Significance |
|---|---|---|---|
| Feb 1-7 | ~21/day average | Steady reconnaissance | Vulnerability validation |
| Feb 8 | 269 sessions | 13x spike | Expanded targeting or retooling |
| Feb 9 | Defused publishes findings | Sleeper shell disclosure | Public awareness escalation |
| Feb 11 | Shadowserver: 28K source IPs | Mass scanning begins | Automated exploitation attempts |
Confirmed Victim Organizations
The Dutch Data Protection Authority (AP) and Council for the Judiciary confirmed February 2026 breaches via Ivanti EPMM exploitation. The European Commission investigated similar incidents potentially involving EPMM. Finland's Valtori central government ICT service center disclosed compromise. The pattern demonstrates targeting of government and critical infrastructure organizations managing mobile device fleets through centralized EPMM platforms.
Defense-in-Depth Implementation
Apply Ivanti patches for CVE-2026-1281 and CVE-2026-1340 immediately despite February 4 security update release. Restart EPMM application servers flushing in-memory implants that survive patching but cannot persist across process restarts. In-memory class loaders like the /mifs/403.jsp sleeper shell vanish only on reboot—patches alone prove insufficient remediation.
Block AS200593 (PROSPERO OOO) at network perimeters preventing 83% of observed exploitation traffic. Review DNS logs for OAST-pattern callbacks: unique high-entropy subdomains resolving to known interaction infrastructure like Burp Collaborator, interact.sh, or pingb.in. These callbacks indicate exploitation payloads executed successfully even without visible secondary compromise.
Monitor for /mifs/403.jsp path access in EPMM web server logs. Presence indicates compromise requiring immediate incident response including forensic analysis, credential rotation, and system re-imaging. Audit internet-facing Mobile Device Management infrastructure ensuring only required services expose to external networks. Deploy network segmentation isolating MDM platforms from production environments limiting lateral movement potential.
SmarterTools: Vendor Breached Through Own Product Vulnerability
The Forgotten Virtual Machine Attack Vector
SmarterTools disclosed January 29, 2026 ransomware breach affecting office networks and data center lab environments. Chief Operating Officer Derek Curtis revealed the company maintained approximately 30 servers/VMs with SmarterMail installed but remained unaware of one VM configured by an employee never included in update procedures. This single forgotten system provided Warlock ransomware group (Storm-2603, Gold Salem) initial access enabling Active Directory compromise and lateral movement across Windows infrastructure.
The irony compounds: a software vendor specializing in Microsoft Exchange alternatives fell victim to critical vulnerabilities in its own email platform. CVE-2026-23760 (CVSS 9.3) enables authentication bypass forcing password resets on system administrator accounts. CVE-2026-24423 (CVSS 9.3) permits unauthenticated remote code execution through the ConnectToHub API method. Both vulnerabilities were patched January 15 in Build 9511—two weeks before the SmarterTools breach.
Pro Tip: The breach demonstrates shadow IT risks within software vendors themselves. Employees provisioning development VMs, test instances, or quality control environments create forgotten infrastructure excluded from patch management processes. Comprehensive asset inventory proves essential even—especially—for companies developing security-conscious software.
Warlock Ransomware Attack Chain
ReliaQuest researchers confirmed Warlock exploited CVE-2026-23760 for initial access based on successful password reset requests containing specific input designed to takeover built-in system administrator accounts. The group chained authentication bypass with SmarterMail's legitimate "Volume Mount" feature gaining full system control. Post-compromise activities included installing Velociraptor (legitimate digital forensics tool) for persistence and SimpleHelp for remote access.
The delayed detonation pattern proves significant. Attackers typically install files then wait 6-7 days before encryption deployment. This explains why some SmarterTools customers experienced compromise even after updating—initial breach occurred before patches with malicious activity triggering later. The patience demonstrates initial access broker methodology prioritizing access preservation over immediate financial gain.
Attack Progression Timeline
| Stage | Warlock Action | Technical Mechanism | SmarterTools Impact |
|---|---|---|---|
| Day 0 | Exploit CVE-2026-23760 | Authentication bypass on forgotten VM | Administrator account takeover |
| Day 0-1 | Download v4.msi from Supabase | Legitimate cloud storage | Velociraptor installation |
| Day 2-5 | Active Directory enumeration | Windows-native tools | Network mapping |
| Day 6-7 | Create new AD users | Privilege escalation | Persistent access established |
| Day 7+ | Deploy ransomware payload | File encryption | 12 Windows servers impacted |
Confirmed Victims and Operational Patterns
SmarterTools acknowledged observing "similar activity on customer machines" indicating Warlock leveraged vendor compromise for supply chain attacks targeting SmarterMail installations. The group demonstrates China-linked origins combining state-sponsored espionage techniques with cybercrime methods. Operations employ DLL-sideloading, DLL-hijacking, AK47 C2 framework, and Bring Your Own Vulnerable Driver (BYOVD) tactics for evasion.
Warlock emerged June 2025 and rapidly adopted ToolShell exploit for zero-day SharePoint server attacks in July 2025. The group's targeting patterns favor Veeam, SharePoint, and now SmarterMail vulnerabilities demonstrating opportunistic exploitation of enterprise infrastructure rather than vertical-specific campaigns. CISA added CVE-2026-24423 to Known Exploited Vulnerabilities catalog February 5, 2026 with "Known To Be Used in Ransomware Campaigns" designation.
Multi-Layered Defensive Framework
Update all SmarterMail instances to Build 9526 (January 22, 2026) complementing Build 9511's vulnerability fixes with additional security improvements. Conduct comprehensive asset inventory discovering forgotten VMs, abandoned test instances, and shadow IT deployments excluded from patch management workflows. Deploy automated scanning identifying all instances of SmarterMail, SmarterTrack, and SmarterStats across organizational networks regardless of intended purpose or authorization status.
Implement network segmentation isolating email infrastructure from broader Windows Active Directory domains preventing lateral movement from compromised mail servers to domain controllers. Deploy endpoint detection and response (EDR) solutions monitoring for Velociraptor, SimpleHelp, and other legitimate administration tools potentially weaponized by attackers. SmarterTools specifically credited SentinelOne for blocking encryption attempts during their breach.
Review authentication logs for unusual password reset activity particularly affecting system administrator or built-in accounts. Monitor API calls to ConnectToHub and Volume Mount features potentially indicating CVE-2026-24423 and CVE-2026-23760 exploitation. Enforce multi-factor authentication on all administrative interfaces adding security layers beyond vulnerability patching timelines.
Google Gemini: State-Sponsored AI Weaponization at Scale
Cross-Nation Attack Lifecycle Integration
Google Threat Intelligence Group disclosed comprehensive analysis of state-sponsored adversary abuse of Gemini AI across all attack phases from reconnaissance to post-compromise operations. APT groups from over 20 countries utilized Gemini with highest volume from Iran and China. Identified threat actors include APT31 (China), Temp.HEX (China), APT42 (Iran), and UNC2970 (North Korea) leveraging AI for target profiling, vulnerability research, phishing lure generation, code debugging, and evasion technique development.
Iranian actors demonstrated heaviest Gemini usage for reconnaissance on defense organizations and international experts, publicly disclosed vulnerability research, phishing campaign development, and content creation for influence operations. Chinese-backed groups automated vulnerability analysis building testing plans using fabricated attack scenarios. Documented activity included analyzing remote code execution paths, web application firewall bypass methods, and SQL injection results specifically targeting US government and military organizations.
Important: While Google emphasizes threat actors haven't achieved "novel capabilities" or "paradigm shifts" through AI assistance, the operational reality demonstrates generative AI enables attackers moving faster at higher volume. For skilled actors, Gemini provides helpful framework similar to Metasploit or Cobalt Strike. For less skilled actors, AI serves as learning and productivity tool accelerating technique incorporation and tool development.
AI-Powered Malware and Agentic Systems
Security researchers identified HonestCue malware framework using Gemini API calls to generate second-stage C# code executed directly in memory via CSharpCodeProvider. The technique avoids disk-based artifacts traditional antivirus solutions detect. Generated code downloads and executes additional malware in-memory maintaining stealth throughout infection lifecycle. While not linked to specific campaigns, HonestCue demonstrates proof-of-concept for AI-integrated malware development.
Threat actors integrated Gemini with HexStrike AI penetration testing tool automating intelligence gathering identifying technological vulnerabilities and organizational defense weaknesses. The combination explicitly blurs lines between routine security assessment queries and targeted malicious reconnaissance operations. Google disabled accounts linked to this campaign after identifying abuse patterns.
AI Abuse Across Attack Lifecycle
| Attack Stage | Gemini Application | Threat Actor Examples | Defensive Gap |
|---|---|---|---|
| Reconnaissance | Target profiling, OSINT automation | APT31, APT42 | Traditional OSINT monitoring |
| Weaponization | Vulnerability research, exploit planning | Temp.HEX, Chinese groups | CVE prioritization |
| Delivery | Phishing lure generation, translation | APT42, Iranian actors | Email security filters |
| Exploitation | Code debugging, testing scenarios | APT31, multiple groups | Application-layer detection |
| Installation | Malware development assistance | HonestCue operators | Behavioral analysis |
| Command & Control | Evasion technique research | Russian groups | Network monitoring |
| Actions on Objectives | Post-compromise planning | Multiple state actors | Incident response |
Model Extraction and Intellectual Property Theft
Google identified large-scale attempts replicating Gemini's behavior through model extraction techniques. One campaign employed over 100,000 prompts attempting to distill the model's capabilities into alternative systems. This "knowledge distillation" technique allows adversaries transferring AI behavior into new models constituting intellectual property theft and serious threat to AI-as-a-service platforms.
Organizations leveraged authorized API access methodically querying systems reproducing decision-making processes to replicate functionality. While not direct threat to model users or their data, extraction constitutes significant commercial, competitive, and intellectual property problem for creators. Model extraction enables attackers accelerating AI development quickly at significantly lower cost than legitimate training processes.
Defensive Strategies Against AI-Assisted Threats
Monitor organizational Gemini API usage identifying anomalous patterns including excessive prompts, vulnerability-focused queries, or malware development research. Implement usage policies restricting AI tool access for security-sensitive operations requiring human oversight. Deploy content filtering detecting AI-generated phishing attempts through linguistic patterns, generic phrasing, or contextual inconsistencies differing from legitimate communications.
Enable advanced email security solutions employing machine learning detecting AI-crafted phishing campaigns optimized through iterative refinement. Traditional keyword-based filters prove insufficient against AI-generated content specifically engineered bypassing static rules. Implement behavioral analysis identifying unusual AI tool interactions potentially indicating compromise or insider threat activity.
Educate security teams recognizing AI-assisted attack patterns including accelerated reconnaissance timelines, polyglot malware supporting multiple environments, and sophisticated social engineering narratives demonstrating deep target knowledge. Establish AI usage governance requiring security review before deploying LLM integrations into production systems ensuring appropriate guardrails prevent adversarial abuse.
Key Takeaways
- Block AS200593 (PROSPERO OOO) at network perimeters eliminating 83% of observed Ivanti EPMM exploitation while recognizing widely circulated IOCs point to VPN exits conducting Oracle WebLogic scanning with zero Ivanti activity
- Conduct comprehensive asset inventory discovering forgotten virtual machines and shadow IT deployments excluded from patch management as SmarterTools breach demonstrates single unpatched VM enables enterprise-wide ransomware through CVE-2026-23760 authentication bypass
- Restart Ivanti EPMM application servers after patching to flush in-memory sleeper shells at /mifs/403.jsp requiring specific trigger parameters before activation and surviving patch deployment without process restart
- Monitor DNS logs for OAST-pattern callbacks indicating successful exploitation payload execution even without visible secondary compromise as 85% of Ivanti attacks verify exploitability first consistent with initial access broker tradecraft
- Implement AI usage monitoring detecting anomalous Gemini API patterns as state-sponsored groups from China, Iran, North Korea, and Russia leverage Google's LLM across all attack stages from reconnaissance to post-compromise evasion
- Deploy behavioral email security detecting AI-generated phishing campaigns as APT42 and Iranian actors use Gemini for social engineering lure generation optimized through iterative refinement bypassing keyword-based filters
Conclusion
The Ivanti EPMM bulletproof hosting concentration, SmarterTools vendor breach, and Google Gemini weaponization demonstrate converging enterprise threats where traditional defensive indicators fail, software companies fall victim to their own products, and adversarial AI transitions from theoretical to operationally deployed. GreyNoise's revelation that 83% of exploitation traces to infrastructure absent from published IOC lists exposes fundamental intelligence sharing gaps where defenders implement protections against wrong threats while missing dominant attack sources.
SmarterTools' compromise through forgotten VM running unpatched SmarterMail highlights asset management criticality even within security-conscious software vendors. The 6-7 day delayed detonation pattern typical of Warlock ransomware demonstrates initial access broker methodology requiring defenders assume breach and hunt for dormant implants rather than trusting patch deployment alone. Google's disclosure of state-sponsored Gemini abuse across all attack stages validates concerns about AI democratizing sophisticated capabilities previously requiring advanced technical skills.
Organizations face threats requiring immediate tactical response and strategic architectural evolution. Block bulletproof hosting AS200593 today before Ivanti exploitation expands. Discover forgotten infrastructure through comprehensive asset inventory preventing SmarterTools-style vendor breaches. Restart application servers flushing in-memory implants surviving patch deployment. Monitor AI tool usage detecting adversarial patterns as state actors leverage Gemini for reconnaissance, vulnerability research, and phishing development. The convergence of intelligence gaps, shadow IT vulnerabilities, and AI weaponization demonstrates modern security requires defense-in-depth assuming published indicators prove incomplete, asset inventories contain unknowns, and adversaries operate with AI acceleration. Start with immediate remediation protecting against known threats, then construct continuous discovery and monitoring frameworks preventing exploitation of invisible attack surfaces.
Frequently Asked Questions
Q: Why aren't the most-shared Ivanti EPMM indicators of compromise blocking actual exploitation attempts?
A: Published IOCs point to Windscribe VPN exit nodes conducting Oracle WebLogic scanning on port 7001 with zero Ivanti EPMM exploitation activity in GreyNoise telemetry. The infrastructure actually conducting Ivanti attacks (193.24.123[.]42 on AS200593) doesn't appear on widely circulated lists. Defenders blocking only published indicators protect against unrelated scanning while missing the dominant exploitation source conducting 83% of observed sessions. This demonstrates intelligence sharing gaps where rapid IOC circulation prioritizes speed over accuracy, resulting in defenders watching wrong doors while attackers use unmonitored infrastructure.
Q: How can organizations identify forgotten virtual machines like the one that enabled SmarterTools' breach?
A: Deploy automated network scanning tools discovering all active systems regardless of authorization status or intended purpose. Query hypervisor APIs (VMware, Hyper-V, cloud providers) inventorying all provisioned VMs comparing against official asset databases identifying orphans. Review DNS records, DHCP leases, and network flow data detecting systems communicating on infrastructure but absent from configuration management databases. Implement mandatory provisioning workflows requiring security team approval before VM creation and automatic decommissioning after defined periods unless explicitly extended through documented business justification.
Q: What specific defensive measures prevent AI tools like Gemini from being abused for malicious purposes?
A: Google implements multi-layered safety controls including content classifiers detecting malicious intent, safety-guided responses refusing harmful requests, and continuous model testing improving security guardrails. Organizations should monitor internal AI tool usage identifying anomalous patterns like excessive vulnerability research, malware development queries, or reconnaissance on protected entities. Deploy usage policies restricting AI access for security-sensitive operations and requiring human oversight before deploying AI-generated code or attack research. Implement behavioral analysis detecting AI-assisted attack patterns including accelerated timelines, polyglot development, and sophisticated social engineering demonstrating deep target knowledge inconsistent with typical reconnaissance capabilities.
Q: Why does the Ivanti sleeper shell survive patching and require application server restart for remediation?
A: The /mifs/403.jsp in-memory Java class loader resides in server application memory, not on disk where patches operate. Applying security updates addresses the CVE-2026-1281 and CVE-2026-1340 vulnerabilities preventing new exploitation but doesn't affect malware already loaded into running process memory. In-memory implants persist across patch deployment maintaining dormant access until specific trigger parameters activate payload execution. Only process restart flushes memory clearing loaded class loaders. This demonstrates why incident response requires both patching preventing new compromise and restart ensuring existing implants don't persist despite vulnerability remediation.
Q: How does Warlock ransomware's 6-7 day delay between initial access and encryption deployment benefit attackers?
A: The delayed detonation enables initial access brokers cataloging vulnerable systems, verifying persistence mechanisms, and selling access to other threat actors before encryption occurs. During the delay, attackers conduct reconnaissance mapping networks, escalate privileges through Active Directory, establish multiple persistence methods, and exfiltrate sensitive data for double-extortion leverage. The patience prevents immediate detection while encryption deployment, allowing broader compromise across infrastructure. This explains why organizations patching after initial breach but before encryption still experience ransomware—the vulnerability was remediated but persistent access mechanisms established during delay survive patching enabling later payload deployment.