A coordinated exploitation marketing campaign that generated greater than 2.5 million malicious requests towards Adobe ColdFusion servers and 47+ different know-how platforms in the course of the Christmas 2025 vacation interval.
The operation was attributed to a single risk actor working from Japan-based infrastructure. This means a complicated scanning effort by attackers in search of each legacy and new vulnerabilities courting again 20 years.
The targeted ColdFusion part of the marketing campaign exploited 10+ crucial CVEs from 2023–2024, with peak exercise on Christmas Day accounting for 68% of assault site visitors.
The deliberate timing throughout vacation downtime, when safety groups usually function at lowered capability, suggests intentional concentrating on of monitoring gaps.
Roughly 5,940 requests focused ColdFusion servers throughout 20 nations, with the USA accounting for 68% of classes.
Two major IP addresses (134.122.136.119 and 134.122.136.96) hosted by CTG Server Restricted generated the overwhelming majority of assault site visitors.
Assault Warmth map (Supply: Greynoise)
The risk actor leveraged ProjectDiscovery Interactsh, an out-of-band testing platform, for callback verification, deploying almost 10,000 distinctive OAST domains throughout oast.professional, oast. Web site, and oast.me companies.
The first assault vector exploited WDDX deserialization to set off JNDI/LDAP injection, concentrating on the com.solar.rowset.JdbcRowSetImpl gadget chain. Notably, the ColdFusion exercise represents solely 0.2% of the broader operation.
Full marketing campaign evaluation reveals systematic reconnaissance throughout 767 distinct CVEs affecting Java software servers, net frameworks, CMS platforms, and enterprise purposes.
Probably the most incessantly focused vulnerabilities had been CVE-2022-26134 (Confluence OGNL injection) with 12,481 requests and CVE-2014-6271 (Shellshock) with 8,527 requests.
Community fingerprinting evaluation recognized 4,118 distinctive JA4H HTTP signatures, indicating that template-based scanning was possible carried out utilizing Nuclei or related frameworks.
The attacker’s infrastructure exhibited regarding associations: CTG Server Restricted beforehand hosted phishing infrastructure concentrating on luxurious manufacturers, together with Chanel and Cartier, and introduced Bogon routes, suggesting insufficient community hygiene.
In accordance with GreyNoise Labs, organizations ought to instantly block the recognized IP addresses and ASNs, implement signatures for the printed JA4+ fingerprints, and prioritize patching ColdFusion and Java-based infrastructure.
The marketing campaign’s scale and class point out superior reconnaissance capabilities typical of preliminary entry brokers getting ready for downstream assaults.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
