A sophisticated threat actor has been operating a private Out-of-band Application Security Testing (OAST) service hosted on Google Cloud infrastructure to conduct a large-scale exploit campaign targeting more than 200 CVEs, according to new research from VulnCheck.
Private OAST Domain Raises Red Flags
Security researchers at VulnCheck identified unusual activity involving callbacks to detectors-testing.com, an unfamiliar OAST domain not associated with any known public OAST provider.
Unlike typical attackers who rely on public services like oast. Fun, past, pro, or interact. This threat actor operates their own private infrastructure.
The investigation revealed approximately 1,400 exploit attempts spanning over 200 unique CVEs linked to this infrastructure.
The attacks primarily used modified Nuclei vulnerability scanning templates to probe for weaknesses across target networks.
All observed malicious activity targeted Canary Systems deployed in Brazil, indicating a deliberate regional focus.
While VulnCheck operates canary sensors globally, the attacker focused exclusively on Brazilian targets between October and November 2025.
The attacker-controlled OAST subdomains follow a pattern such as i-sh.detectors-testing.com, where compromised systems send HTTP callbacks to confirm successful exploitation.
One documented example involved an attempt to exploit CVE-2025-4428, a remote code execution vulnerability in Ivanti Endpoint Manager Mobile.
The entire operation runs through US-based Google Cloud infrastructure across multiple IP addresses.
Using a primary cloud provider gives the attacker significant advantages since defenders rarely block traffic from legitimate cloud services, and malicious communications blend easily with regular network activity.
VulnCheck identified six scanner IPs and one dedicated OAST host, all operating from Google Cloud. The OAST server at 34.136.22.26 has been running Interactsh services across multiple ports for at least a year, since November 2024.
Beyond standard Nuclei templates, the attacker deploys custom payloads that demonstrate technical capability.
Researchers discovered a modified TouchFile.class Java exploit file hosted on the attacker’s server.
This file extends the standard Fastjson 1.2.47 exploitation method with additional command execution and HTTP callback functionality.
The attacker also uses outdated Nuclei templates that were removed from official repositories, suggesting they maintain their own modified scanning toolkit rather than relying solely on public tools.
Indicators of Compromise
Organizations should monitor for connections to detectors-testing.com and its subdomains.
The following Google Cloud IP addresses have been associated with this campaign: 34.172.194.72, 35.194.0.176, 34.133.225.171, 34.68.101.3, 34.42.21.27, 34.16.7.161, and 34.136.22.26.
Security teams should ensure all internet-facing applications are patched against known vulnerabilities, particularly the 200+ CVEs being actively exploited.
Network monitoring for unusual OAST callbacks and regular vulnerability assessments remain essential defenses against such sustained scanning operations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.