A February 2026 campaign used a internal JSP path and in-memory Java class loaders to quietly seed persistent access across Ivanti EPMM deployments - then walked away. We break down the tradecraft.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

A February 2026 campaign exploited Ivanti EPMM vulnerabilities (CVE-2026-1281, CVE-2026-1340) to deploy dormant backdoors at /mifs/403.jsp. Instead of immediate exploitation, attackers planted an in-memory Java class loader that waits for a specific trigger parameter to load second-stage payloads. The implant never touches disk, gathers host fingerprinting data, and shows characteristics of initial access broker tradecraft—establishing access for later sale or handoff. No follow-on exploitation was observed, making detection difficult. Organizations should patch immediately, restart application servers to flush in-memory implants, and hunt for specific log indicators including requests to 403.jsp and the parameter k0f53cf964d387.

Sleeper Shells: How Attackers Are Planting Dormant Backdoors in Ivanti EPMM

# Inside base.Info - The In-Memory Loader