← Back to Security Blog
Security Briefing 5 min read

Single Threat Actor Behind 83% of Ivanti Attacks

Security researchers have identified that a single sophisticated threat actor is responsible for the majority of Ivanti EPMM exploitation. Meanwhile, Microsoft zero-days continue to see mass exploitation and BeyondTrust attacks persist.


Critical: Ivanti EPMM Mass Exploitation

Single Actor Behind 83% of Attacks

A single threat actor is behind 83% of all Ivanti Endpoint Manager Mobile (EPMM) attacks observed in the wild. The actor is using a combination of CVE-2023-35078 and newer vulnerabilities to gain initial access to enterprise networks.

Indicators of Compromise

Action: Audit Ivanti EPMM logs immediately and apply all available patches.


Microsoft Zero-Days — Still Under Mass Attack

All six Microsoft zero-days from Patch Tuesday continue to see active exploitation:

CVE Component Exploitation Level
CVE-2026-21391 Windows Kernel Mass exploitation
CVE-2026-21418 SmartScreen Targeted attacks
CVE-2026-21387 MSHTML Widespread
CVE-2026-21377 Windows Installer Increasing
CVE-2026-21402 Exchange Server Targeted
CVE-2026-21356 Print Spooler Mass exploitation

If you haven't patched, assume compromise and investigate.


BeyondTrust: Exploitation Continues

The BeyondTrust Privileged Remote Access RCE (exploited within 24h of PoC) continues to see scanning and exploitation attempts.

Recommended Actions for BeyondTrust Users

  1. Apply emergency patches immediately
  2. Review access logs for unauthorized activity
  3. Consider network isolation until patched
  4. Monitor for lateral movement indicators

Apple Zero-Day: "Extremely Sophisticated"

Apple's description of the iOS zero-day as "extremely sophisticated" suggests nation-state involvement. The attack targeted specific individuals, likely for surveillance purposes.

All Apple users should update, but high-risk individuals (journalists, activists, executives) should treat this as urgent.


Breach Totals This Week

Organization Records Data Type
Odido (Netherlands) 6.2M Telecom customer data
ApolloMD 400K Patient medical records
Retail Chain 200K Payment cards
Total 6.8M+

Kimwolf Botnet Update

The 2M-device Kimwolf botnet continues DDoS attacks against I2P network infrastructure. Researchers believe the botnet is being used to de-anonymize I2P users through traffic analysis.


How Kensai Protects You

Ivanti EPMM Detection — Identify vulnerable instances and IOCs

Real-time CVE Monitoring — All Microsoft zero-days indexed and tracked

BeyondTrust Scanning — Find vulnerable PRA deployments

Breach Intelligence — Stay informed on credential exposures affecting your domain


Today's Priorities

  1. Patch Windows — Zero-days under mass exploitation
  2. Update Apple devices — Sophisticated targeted attack active
  3. Audit Ivanti EPMM — Single actor behind 83% of attacks
  4. BeyondTrust — Emergency patch if using PRA
  5. Monitor for breaches — 6.8M records exposed this week

Protect Your Organization with Kensai

AI-powered vulnerability management with 332,000+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →