Security researchers have uncovered a sophisticated, private Out-of-Band Application Security Testing (OAST) operation leveraging Google Cloud infrastructure to launch widespread attacks targeting over 200 Common Vulnerabilities and Exposures (CVEs). This operation, distinct from typical exploit scanning due to its custom infrastructure, has been actively running, demonstrating a significant and persistent threat within the cybersecurity landscape.
Between October and November 2025, approximately 1,400 exploit attempts linked to this campaign were observed, meticulously targeting specific regions. Unlike threat actors who commonly utilize public OAST services, this group operates its proprietary domain, detectors-testing.com, raising immediate concern among security professionals.
Mystery OAST Operation Leverages Google Cloud for Widespread Exploitation
The discovery of this clandestine OAST service was made by VulnCheck security researchers who identified unusual patterns in their Canary Intelligence traffic. The operation distinguishes itself by employing custom infrastructure rather than relying on readily available public services like oast.fun or interact.sh. This allows the attackers to operate with a lower profile, making their activities harder to detect and attribute.
The campaign meticulously combines standard Nuclei scanning templates with custom-developed payloads to broaden its reach and maximize its effectiveness. A particularly notable aspect of this operation is its apparent regional focus, with all observed activity directed at systems located in Brazil. While reports suggest the same attacker IP addresses have been flagged in Serbia and Turkey via AbuseIPDB, VulnCheck’s in-depth analysis indicates a concentrated effort on Brazilian targets.
The underlying infrastructure powering this operation is built on multiple Google Cloud IP addresses. Six of these addresses are used specifically as exploit scanners, while a seventh serves as the OAST host. The strategic choice of Google Cloud offers significant advantages to the attackers. Major U.S. cloud providers are rarely blocked by network defenses, allowing traffic to seamlessly blend with legitimate background communications, thereby evading initial detection.
Evidence suggests this operation has been operational since at least November 2024, indicating a sustained, long-term campaign rather than opportunistic, short-lived scans. This longevity points to a well-resourced and determined threat actor.
Technical Breakdown of the Exploit Mechanism
Further investigation into the operation’s technical underpinnings revealed a modified Java class file, TouchFile.class, located in an open directory on port 9000. This file is a derivative of publicly available exploit examples for Fastjson 1.2.47. The attackers have enhanced this class to accept custom commands and HTTP requests through added parameters, demonstrating their proficiency in adapting and customizing existing exploit tools to suit their specific objectives.
The decompiled code of TouchFile.class indicates that it executes a default command to touch /tmp/success3125 if no parameters are provided. However, when ‘cmd’ or ‘http’ parameters are present, the class executes the specified commands or initiates outbound HTTP requests accordingly. This flexibility allows for a range of exploitation scenarios.
The attackers employ a mix of both current and outdated Nuclei templates for their vulnerability probing. For instance, the old grafana-file-read.yaml template, which was officially removed from the nuclei-templates repository in early October 2025, has been found in active use. The presence of this older template suggests the attackers might be using third-party Nuclei-based scanners like ‘dddd’ or have simply neglected to update their scanning toolkits. This hybrid approach ensures a wider coverage of potential vulnerabilities.
Following a successful exploitation, the compromised host is induced to make HTTP requests back to the attacker-controlled OAST subdomains. An example of this is an attempted exploitation of CVE-2025-4428, which affects Ivanti Endpoint Manager Mobile. In such cases, the payload forces the victim system to communicate with a specific subdomain, such as d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com. This callback mechanism allows attackers to confirm the vulnerability of a system without requiring direct, exploitable access, making detection significantly more challenging for security teams.
The OAST host, identified at the IP address 34.136.22.26, consistently serves Interactsh services across ports 80, 443, and 389. This configuration solidifies its role as a dedicated command and control endpoint designed to receive exploit verification callbacks originating from compromised systems globally.
The continued operation of such sophisticated OAST services poses an ongoing challenge to cybersecurity defenses. Organizations are advised to remain vigilant, monitor network traffic for unusual outbound connections, and ensure their systems are patched against the latest known vulnerabilities. The next expected step in monitoring this threat will involve tracking any shifts in regional targeting or the adoption of new exploitation techniques by this persistent actor.