{
  "name": "The Mystery OAST Host Behind a Regionally Focused Exploit Operation",
  "slug": "the-mystery-oast-host-behind-a-regionally-focused-exploit-operation",
  "description": "A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.",
  "published": "2025-11-28T01:45:43+00:00",
  "created_at": "2025-11-28T01:45:43+00:00",
  "modified_at": "2025-12-21T17:16:03+00:00",
  "created_at_opencti": "2025-11-28T01:45:43+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-11-28",
    "CVE-2025-2611",
    "CVE-2025-4428",
    "brazil",
    "exploit",
    "fastjson",
    "google cloud",
    "nuclei",
    "oast",
    "regional targeting",
    "scanning infrastructure"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "26.22.136.34"
      },
      {
        "id": "",
        "name": "34.136.22.26"
      },
      {
        "id": "",
        "name": "34.172.194.72"
      },
      {
        "id": "",
        "name": "34.42.21.27"
      },
      {
        "id": "",
        "name": "34.16.7.161"
      },
      {
        "id": "",
        "name": "34.133.225.171"
      }
    ],
    "attack_patterns": [
      {
        "id": "e73b317e-ea92-49b4-a45d-051f7279aced",
        "name": "T1213"
      },
      {
        "id": "eb118bf2-fdf2-4b49-a470-0acabf7608ad",
        "name": "T1505"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "53c193a7-f726-4bd2-ae88-4019e2604adf",
        "name": "T1046"
      },
      {
        "id": "d570881a-1f73-41ca-ad6c-fc29256c76f9",
        "name": "T1595"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      },
      {
        "id": "5dee2969-7083-430e-9083-73bab54c3a18",
        "name": "T1590"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-4428"
      },
      {
        "id": "",
        "name": "CVE-2025-2611"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Brazil"
      },
      {
        "id": "",
        "name": "Serbia"
      },
      {
        "id": "",
        "name": "d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com"
      },
      {
        "id": "",
        "name": "20d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com"
      },
      {
        "id": "",
        "name": "i-sh.detectors-testing.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69290cd72a059f2c7ea720db",
    "https://www.vulncheck.com/blog/mystery-oast"
  ]
}