A February 2026 campaign used a internal JSP path and in-memory Java class loaders to quietly seed persistent access across Ivanti EPMM deployments - then walked away. We break down the tradecraft.