Between December 25–28, a single threat actor conducted a large-scale scanning campaign, testing over 240 different exploits against internet-facing systems and collecting data on every vulnerable target found.
This reconnaissance operation, operating from two IP addresses linked to CTG Server Limited (AS152194), represents a new level of sophistication in how initial access is secured for ransomware operations.
The attacker systematically probed targets at intervals of one to five seconds, with each system receiving 11 different exploit types to identify weaknesses.
The campaign reveals a concerning shift in ransomware operations. Rather than launching direct attacks, these threat actors are acting as Initial Access Brokers (IABs), building catalogs of vulnerable systems to sell to ransomware groups.
The data collected during this four-day window provides a confirmed inventory of exploitable targets that will likely fuel targeted intrusions throughout 2026.
The timing was deliberate, taking advantage of holiday periods when security teams are reduced, and detection systems receive minimal attention.
Greynoise analysts identified the campaign by detecting over 57,000 unique Out-of-Band Application Security Testing (OAST) subdomains tied to ProjectDiscovery’s Interactsh platform.
The researchers noted that the tooling matched Nuclei, an open-source vulnerability scanner, run at industrial scale.
.webp "Threat Actors Attacking Systems with 240+ Exploits Before Ransomware Deployment 3")
By analyzing JA4 network fingerprints and a shared Machine ID across 98 percent of attempts, Greynoise analysts confirmed this was a single operator conducting the attack, not a coordinated group effort.
Detection Evasion and Infrastructure Analysis
The attacker’s choice of CTG Server Limited raises significant concerns about resilient infrastructure for criminal operations.
This Hong Kong-registered hosting provider controls approximately 201,000 IPv4 addresses across 672 prefixes and operates with minimal abuse enforcement.
The network previously identified as hosting phishing domains within FUNNULL CDN infrastructure and announces bogon routes, indicating poor network hygiene practices that make it attractive for operations requiring infrastructure that can withstand blocking attempts.
Organizations need to examine their logs from the campaign dates for connections to the suspicious IP addresses 134.122.136.119 and 134.122.136.96, as well as DNS queries to OAST domains including oast.pro, oast.site, oast.me, oast.online, oast.fun, and oast.live.
If matches are discovered, organizations should assume attackers have confirmed vulnerabilities in their networks, and that this access information may already be available for purchase in criminal marketplaces.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
