Unveiling a Covert OAST Operation Exploiting Over 200 CVEs via Google Cloud
In a significant development within the cybersecurity domain, researchers have identified a clandestine Out-of-Band Application Security Testing (OAST) service operating through Google Cloud infrastructure. This operation distinguishes itself by utilizing proprietary infrastructure, deviating from the common practice of leveraging public OAST services. The threat actors behind this initiative have orchestrated a targeted campaign, exploiting over 200 distinct vulnerabilities across specific regions.
Discovery and Initial Observations
Between October and November 2025, security analysts documented approximately 1,400 exploit attempts associated with this operation. Unlike typical attackers who rely on public OAST platforms such as oast.fun or interact.sh, this entity employs a private OAST domain, detectors-testing.com. The anomaly was first detected when callbacks were traced to subdomains of i-sh.detectors-testing.com, a domain not linked to any recognized OAST provider or widely used scanning framework.
VulnCheck’s security team identified this operation after noting unusual patterns in their Canary Intelligence traffic. The campaign integrates standard Nuclei scanning templates with bespoke payloads, enhancing its reach and effectiveness. Notably, all observed activities were concentrated on systems deployed in Brazil, indicating a deliberate regional focus. Although AbuseIPDB reports flagged the same attacker IP addresses in Serbia and Turkey, VulnCheck’s data revealed exclusive targeting of Brazilian systems.
Infrastructure and Operational Tactics
The attackers’ infrastructure comprises multiple Google Cloud IP addresses, with six designated for exploit scanning and one serving as the OAST host. Utilizing Google Cloud offers strategic advantages, as defenders are less likely to block major U.S. cloud providers, and traffic to Google networks seamlessly blends with regular communication. This operation has been active since at least November 2024, reflecting a sustained, long-term effort rather than opportunistic scanning.
Evidence from an open directory on port 9000 unveiled a modified Java class file named TouchFile.class, originally documented in Fastjson 1.2.47 exploitation examples. The attackers have enhanced the basic version to accept custom commands and HTTP requests through parameters, demonstrating their capability to modify publicly available exploit tools to suit their objectives.
The decompiled code indicates that, in the absence of parameters, it executes a default command to create a file at /tmp/success3125. However, when ‘cmd’ or ‘http’ parameters are provided, it executes those commands or initiates outbound HTTP requests accordingly.
Technical Analysis of Exploit Mechanisms
The attackers employ a combination of current and outdated Nuclei templates to probe for vulnerabilities. For instance, they utilize the deprecated grafana-file-read.yaml template, removed from the official nuclei-templates repository in early October 2025. The continued use of this older template suggests that the attackers either rely on third-party Nuclei-based scanners or have not updated their scanning tools, allowing them to target a broader spectrum of vulnerabilities.
The exploit payloads follow a consistent pattern: successful exploitation prompts the compromised host to make HTTP requests back to attacker-controlled OAST subdomains. For example, in an attack exploiting CVE-2025-4428 affecting Ivanti Endpoint Manager Mobile, the payload compels the victim system to contact a specific subdomain under detectors-testing.com. This callback mechanism enables attackers to verify successful exploitation and potentially gather additional information from the compromised systems.
Implications and Recommendations
The emergence of this private OAST operation underscores the evolving sophistication of cyber threats. By leveraging custom infrastructure and focusing on specific regions, attackers can conduct more targeted and effective campaigns. The use of Google Cloud infrastructure further complicates detection and mitigation efforts, as it allows malicious activities to blend with legitimate traffic.
Organizations, particularly those operating in Brazil, should remain vigilant and implement robust security measures to detect and prevent such exploit attempts. Regularly updating scanning tools and monitoring for unusual traffic patterns can aid in identifying and mitigating these threats. Collaboration with cybersecurity researchers and sharing threat intelligence can also enhance the collective defense against such sophisticated operations.
