A sophisticated, large-scale scanning campaign conducted between December 25–28 identified over 240 exploits that threat actors could use to gain access to internet-facing systems. This extensive reconnaissance operation, orchestrated by a single threat actor and originating from two IP addresses linked to CTG Server Limited, signals a concerning evolution in how ransomware operations secure initial access. The attacker systematically probed targets with precise timing, collecting data on a vast inventory of vulnerable systems that is expected to fuel targeted intrusions throughout 2026.
The campaign highlights a strategic shift from direct ransomware attacks to a model where threat actors act as Initial Access Brokers (IABs). These IABs build catalogs of exploitable targets, which are then sold to ransomware groups on the dark web. The timing of this operation, deliberately coinciding with holiday periods when security teams are often reduced and monitoring systems receive less attention, underscores the calculated nature of these advanced persistent threats.
Sophisticated Reconnaissance Campaign Targets 240+ Exploits
Analysis by Greynoise revealed that the campaign involved the detection of over 57,000 unique Out-of-Band Application Security Testing (OAST) subdomains. Researchers identified the tooling used as Nuclei, an open-source vulnerability scanner, operating at an industrial scale. By analyzing JA4 network fingerprints and a shared Machine ID across nearly all detected attempts, Greynoise analysts were able to conclusively attribute the campaign to a single operator, rather than a coordinated group effort.
Each targeted system was subjected to at least 11 different exploit types at intervals of one to five seconds, demonstrating a methodical and thorough approach to vulnerability discovery. This level of systematic probing allowed the threat actor to gather detailed information on the specific weaknesses present in each system, creating a highly valuable dataset for potential sale or direct use in future attacks.
Detection Evasion and Infrastructure Analysis
The threat actor’s choice of CTG Server Limited as their hosting provider raises significant concerns regarding resilient criminal infrastructure. This Hong Kong-registered hosting entity controls a substantial number of IPv4 addresses and is known for its minimal abuse enforcement policies. The network has previously been identified as hosting phishing domains and announcing bogon routes, indicating a relaxed approach to network hygiene and security, making it an attractive option for operations that require infrastructure resistant to takedowns and blocking attempts.
Organizations are urged to examine their network logs for connections to the specific IP addresses 134.122.136.119 and 134.122.136.96 during the campaign dates. Additionally, reviewing DNS queries for OAST domains such as oast.pro, oast.site, oast.me, oast.online, oast.fun, and oast.live is crucial. The presence of any matches in these logs should be treated as a strong indicator that attackers have identified exploitable vulnerabilities within the organization’s network. This confirmed access information may already be circulating in criminal marketplaces, potentially leading to targeted ransomware attacks in the near future.
The findings suggest a heightened need for proactive security measures, including robust vulnerability management and continuous network monitoring. The increasing sophistication of threat actors in conducting reconnaissance operations, coupled with their exploitation of periods with reduced security oversight, poses a significant challenge to cybersecurity defenses. The next expected steps will likely involve tracking the dissemination of this gathered intelligence on criminal forums and anticipating the subsequent wave of targeted intrusions facilitated by these identified vulnerabilities.