The Mystery OAST Host Behind a Regionally Focused Exploit Operation
Essential information
- Published
- 28/11/2025 02:45
- Modified
- 21/12/2025 18:16
- Tags
- 2025-11-28 CVE-2025-2611 CVE-2025-4428 brazil exploit fastjson google cloud nuclei oast regional targeting scanning infrastructure
- Related entities
- 2 vulnerabilities (cve), 6 observables, 8 techniques (mitre), 5 others
Description
A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.