GreyNoise reports that over the Christmas period (Dec 25–28) a single operator ran an unusually systematic internet-wide scan designed to “stock” the ransomware ecosystem with fresh targets. Instead of a generic port scan, the actor tested 240+ exploit templates, hit each target with ~11 exploit types, and then confirmed successful findings using out-of-band callbacks (OAST), meaning a vulnerable system would “phone home” to an attacker-controlled domain if the exploit landed. GreyNoise says this created a high-confidence inventory of real, currently exploitable systems—exactly the kind of data that Initial Access Brokers collect and then sell to ransomware crews.

The campaign infrastructure was traced to two IPs hosted at CTG Server Limited (AS152194), with request pacing of every 1–5 seconds, and evidence (JA4 fingerprints + shared machine ID) indicating it was one operator, not a large team. GreyNoise emphasizes why the timing matters: holiday staffing gaps let reconnaissance run longer without being blocked, and the value of the collected vulnerability intel persists well beyond the scan window. They recommend defenders review Dec 25–28 logs for the two source IPs and hunt DNS activity to common OAST domains (e.g., oast.pro, oast.site, etc.); if you see matches, assume a vulnerability was verified and could be re-sold or re-used in follow-on intrusions during 2026.

Source: https://www.greynoise.io/blog/christmas-scanning-campaign-fuel-2026-attacks