Monday , July 13 2026
OAST

OAST-based exploit platform targets 200 CVEs using Google Cloud

Research from VulnCheck reveals that a highly skilled threat actor has been running a private Out-of-band Application Security Testing (OAST) service on Google Cloud infrastructure, executing an extensive exploit campaign aimed at over 200 CVEs.

Private OAST Domain Raises Red Flags:

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

CIRT identified 153 publicly exposed FortiGate devices in Bangladesh. In an advisory CIRT said, the campaign has been observed globally,...
Read More
CIRT identified 153 publicly exposed FortiGate devices in Bangladesh

Security experts at VulnCheck noticed strange behavior linked to detectors-testing.com, an unknown OAST domain not connected to any known public OAST provider.

Unlike typical attackers who rely on public services like oast. Fun, past, pro, or interact. This threat actor operates their own private infrastructure.

The investigation found around 1,400 exploit attempts related to over 200 different CVEs. The attacks mainly employed modified Nuclei templates to check for vulnerabilities in target networks.

Malicious activity was aimed at Canary Systems in Brazil, showing a specific focus on this region. Although VulnCheck has canary sensors worldwide, the attacker only targeted Brazilian systems from October to November 2025.

Attacker-controlled OAST subdomains, like i-sh.detectors-testing.com, receive HTTP callbacks from compromised systems to confirm successful exploitation.

One documented example involved an attempt to exploit CVE-2025-4428, a remote code execution vulnerability in Ivanti Endpoint Manager Mobile.

The entire operation runs through US-based Google Cloud infrastructure across multiple IP addresses.

Using a main cloud provider helps attackers because defenders rarely block traffic from these services, allowing malicious activity to mix with normal network traffic.

VulnCheck identified six scanner IPs and one dedicated OAST host, all operating from Google Cloud. The OAST server at 34.136.22.26 has been running Interactsh services across multiple ports for at least a year, since November 2024.

The attacker uses custom payloads in addition to standard Nuclei templates to show their skills. Researchers found a modified TouchFile.class Java exploit file on the attacker’s server.

This file extends the standard Fastjson 1.2.47 exploitation method with additional command execution and HTTP callback functionality.

The attacker uses old Nuclei templates that have been removed from official repositories, indicating they keep a modified scanning toolkit instead of just using public tools.

Indicators of Compromise:

Organizations should monitor for connections to detectors-testing.com and its subdomains.

The following Google Cloud IP addresses have been associated with this campaign: 34.172.194.72, 35.194.0.176, 34.133.225.171, 34.68.101.3, 34.42.21.27, 34.16.7.161, and 34.136.22.26.

Security teams must patch all internet-facing applications against known vulnerabilities, especially the 200+ actively exploited CVEs.

Network monitoring for unusual OAST callbacks and regular vulnerability assessments are crucial defenses against ongoing scanning attacks.

Check Also

Apple

New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide

Researchers at cybersecurity firm Paradigm Shift found a new flaw called usbliter8. This flaw can …