The Ransomware Ground Game: How A Christmas Scanning Campaign Will Fuel 2026 Attacks
Summary:
Between December 25-28, 2025, a single operator launched a systematic reconnaissance campaign targeting vulnerable systems across the internet. The attacker tested over 240 different exploits, probing thousands of systems and logging every successful hit. According to security firm GreyNoise, the operator used two IP addresses to conduct the scans:
While the two IPs were responsible for initiating the scans, GreyNoise notes that the actor employed Out-of-Band Application Security Testing (OAST) domains to confirm for vulnerabilities. In this case, each time a system is exploited, the system is directed to make an outbound request to the attacker’s callback server (OAST domain), allowing the actor to confirm that the system is vulnerable.
“We identified over 57,000 unique OAST subdomains, all tied to ProjectDiscovery's Interactsh platform. The tooling matches what we'd expect from Nuclei, an open-source vulnerability scanner, run at industrial scale,” stated GreyNoise in its recent blog post.
Security Officer Comments:
The scans taking place over Christmas were opportunistic, as many organizations operate with reduced security staffing and slower response times during holidays, making large-scale reconnaissance less likely to be noticed. Rather than launching attacks immediately, the operator focused on quietly identifying and confirming exploitable systems, building a reliable list of vulnerable targets using automated scanning and callback verification.
This confirmed vulnerability dataset is highly valuable to threat actors. In 2026, we can expect ransomware groups or initial access brokers to use or sell this data to quickly gain access to organizational networks.
Suggested Corrections:
Review server and network logs from December 25–28 for these IPs:
Link(s):
https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks
Between December 25-28, 2025, a single operator launched a systematic reconnaissance campaign targeting vulnerable systems across the internet. The attacker tested over 240 different exploits, probing thousands of systems and logging every successful hit. According to security firm GreyNoise, the operator used two IP addresses to conduct the scans:
- 134[.]122[.]136[.]119
- 134[.]122[.]136[.]96
While the two IPs were responsible for initiating the scans, GreyNoise notes that the actor employed Out-of-Band Application Security Testing (OAST) domains to confirm for vulnerabilities. In this case, each time a system is exploited, the system is directed to make an outbound request to the attacker’s callback server (OAST domain), allowing the actor to confirm that the system is vulnerable.
“We identified over 57,000 unique OAST subdomains, all tied to ProjectDiscovery's Interactsh platform. The tooling matches what we'd expect from Nuclei, an open-source vulnerability scanner, run at industrial scale,” stated GreyNoise in its recent blog post.
Security Officer Comments:
The scans taking place over Christmas were opportunistic, as many organizations operate with reduced security staffing and slower response times during holidays, making large-scale reconnaissance less likely to be noticed. Rather than launching attacks immediately, the operator focused on quietly identifying and confirming exploitable systems, building a reliable list of vulnerable targets using automated scanning and callback verification.
This confirmed vulnerability dataset is highly valuable to threat actors. In 2026, we can expect ransomware groups or initial access brokers to use or sell this data to quickly gain access to organizational networks.
Suggested Corrections:
Review server and network logs from December 25–28 for these IPs:
- 134[.]122[.]136[.]119
- 134[.]122[.]136[.]96
- oast[.]pro
- oast[.]site
- oast[.]me
- oast[.]online
- oast[.]fun
- oast[.]live
Link(s):
https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks