A coordinated exploitation campaign that generated more than 2.5 million malicious requests against Adobe ColdFusion servers and 47+ other technology platforms during the Christmas 2025 holiday period.
The operation was attributed to a single threat actor operating from Japan-based infrastructure. This indicates an advanced scanning effort by attackers seeking both legacy and new vulnerabilities dating back 20 years.
The focused ColdFusion phase of the campaign exploited 10+ critical CVEs from 2023–2024, with peak activity on Christmas Day accounting for 68% of attack traffic.
The deliberate timing during holiday downtime, when security teams typically operate at reduced capacity, suggests intentional targeting of monitoring gaps.
Approximately 5,940 requests targeted ColdFusion servers across 20 countries, with the United States accounting for 68% of sessions.
Two primary IP addresses (134.122.136.119 and 134.122.136.96) hosted by CTG Server Limited generated the vast majority of attack traffic.
The threat actor leveraged ProjectDiscovery Interactsh, an out-of-band testing platform, for callback verification, deploying nearly 10,000 unique OAST domains across oast.pro, oast. Site, and oast.me services.
The primary attack vector exploited WDDX deserialization to trigger JNDI/LDAP injection, targeting the com.sun.rowset.JdbcRowSetImpl gadget chain. Notably, the ColdFusion activity represents only 0.2% of the broader operation.
Complete campaign analysis reveals systematic reconnaissance across 767 distinct CVEs affecting Java application servers, web frameworks, CMS platforms, and enterprise applications.
The most frequently targeted vulnerabilities were CVE-2022-26134 (Confluence OGNL injection) with 12,481 requests and CVE-2014-6271 (Shellshock) with 8,527 requests.
Network fingerprinting analysis identified 4,118 unique JA4H HTTP signatures, indicating that template-based scanning was likely performed using Nuclei or similar frameworks.
The attacker’s infrastructure exhibited concerning associations: CTG Server Limited previously hosted phishing infrastructure targeting luxury brands, including Chanel and Cartier, and announced Bogon routes, suggesting inadequate network hygiene.
According to GreyNoise Labs, organizations should immediately block the identified IP addresses and ASNs, implement signatures for the published JA4+ fingerprints, and prioritize patching ColdFusion and Java-based infrastructure.
The campaign’s scale and sophistication indicate advanced reconnaissance capabilities typical of initial access brokers preparing for downstream attacks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
