More than 80% of exploitation activity targeting critical vulnerabilities in Ivanti Endpoint Manager Mobile were traced to a single IP address hiding behind a bulletproof hosting infrastructure, according to a report released Tuesday by GreyNoise. 

Researchers warn that several of the most shared indicators of compromise linked to the current threat campaign indicate no activity linked to Ivanti EPMM. The concern is that security teams may therefore be looking for the wrong information, as current IoCs indicate scanning for Oracle WebLogic instead, according to GreyNoise researchers. 

Late last month, Ivanti disclosed critical code injection vulnerabilities tracked under CVE-2026-1281 and CVE-2026-1340. The flaws impact the on-premises version of Ivanti EPMM and could allow an attacker to achieve remote code execution. 

GreyNoise researchers first detected threat activity targeting CVE-2026-1281 on Feb. 1 and recorded 417 exploitation sessions through Feb. 9 from eight unique source IPs. One IP, registered to Prospero OOO, generated 83% of the sessions. The IP was geolocated to St. Petersburg, Russia, according to GreyNoise. 

Threat activity has accelerated in recent days, with GreyNoise data showing 269 sessions on Sunday, a sharp increase from the prior daily average of 21. Researchers from Shadowserver Foundation on Tuesday reported a surge in threat activity. More than 28,000 source IPs were observed in Shadowserver data, with more than 20,000 seen from U.S. networks.

As previously reported, the Dutch Data Protection Authority and the Judicial Council were breached due to Ivanti EPMM exploitation. The European Commission was also investigating an attack linked to Ivanti IPMM. 

An investigation related to the EC incident showed a possible leak of data, including names and numbers of certain staff members, according to a source familiar with the investigation. Additional measures were taken to mitigate the vulnerabilities and additional steps are being taken to reduce the overall risk.