GreyNoise Labs Weekly OAST (Well-known Out-of-band Interaction Domains) Report • Week Ending 2026-01-24

GreyNoise observed a seven-day, high-volume scanning campaign (9,004 sessions, 313 source IPs) that embedded Interactsh OAST callback domains in exploit payloads to detect successful remote code execution and redirect vulnerabilities — primarily targeting Spring Cloud Gateway code injection and Keycloak open-redirect (CVE-2024-8883). The activity features an anomalous TCP MSS fingerprint (65495) indicating custom tooling, 5,171 decoded OAST domains across 425 campaign identifiers, heavy concentration in VPS/bulletproof ASNs (notably AS9009 / 146.70.116.218), and actionable IOCs and detection recommendations for network and JA4-based defenses.