Security researchers at VulnCheck have uncovered a sophisticated exploit campaign leveraging a private out-of-band application security testing (OAST) service hosted on Google Cloud.
This operation targeted over 200 Common Vulnerabilities and Exposures (CVEs) with around 1,400 exploit attempts between October 12 and November 14, 2025, focusing exclusively on honeypot systems in Brazil.
Unlike typical attackers who use free public OAST services such as oast.pro or interact. This actor runs their own domain, i-sh.detectors-testing.com, from IP address 34.136.22.26 in Council Bluffs, Iowa.
The OAST setup simplifies vulnerability confirmation for attackers, enabling detection of issues such as remote code execution (RCE), server-side request forgery (SSRF), and deserialization flaws via external callbacks.
VulnCheck’s Canary Intelligence honeypots captured these callbacks, including one for CVE-2025-4428, an RCE in Ivanti Endpoint Manager Mobile (EPMM).
The payload injected Java Expression Language code via the /api/v2/featureusage endpoint, attempting to execute a curl command to a unique subdomain like d4bqsd6e47mo47d93lpgq55d3j111y6em.i-sh.detectors-testing.com.
Attack traffic originated from multiple Google Cloud IPs in the US, including scanners at 34.172.194.72, 35.194.0.176, 34.133.225.171, 34.68.101.3, 34.42.21.27, and 34.16.7.161.
Hosting on a primary cloud provider helps evade blocks, as defenders rarely restrict legitimate-looking traffic from such networks.
Most exploits matched standard Nuclei scanner templates from ProjectDiscovery. However, some used outdated versions, such as grafana-file-read.yaml, which was removed from the official repository in October 2025.
This template persists in third-party tools like dddd, suggesting that customized or unpatched scanning configurations are in use.
The Brazil-only targeting among global honeypots suggests deliberate regional scouting. At the same time, AbuseIPDB flags indicate activity in other countries, such as Serbia and Turkey.
An open directory on port 9000 exposed TouchFile.class, a modified Java gadget for Fastjson 1.2.47 exploitation.
Decompiled analysis reveals that it parses the “cmd” query parameter to run shell commands, or the “http” parameter for outbound requests, defaulting to writing to /tmp/success3125 if none is provided.
This extends public Vulhub demos, which are executed via Runtime.exec() and HttpURLConnection.
Telemetry shows Interactsh services on ports 80, 443, 389, and 25 at 34.136.22.26 since at least November 2024, indicating a persistent infrastructure unusual for opportunistic scanners.
References link detectors-testing.com to Androxgh0st malware, though VulnCheck attributes no specific actor.
Defenders should monitor OAST callbacks, swiftly patch CVEs, and scan for exposures to counter automated campaigns that blend stock tools with tweaks.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…