Ddos 
What started as a seemingly targeted holiday raid on Adobe ColdFusion servers has unraveled into a sprawling, industrial-scale cyberattack operation. A new intelligence update from GreyNoise reveals that a campaign initially detected over the Christmas 2025 holiday was merely the tip of the iceberg, masking a “broad, well-coordinated initial access broker campaign” targeting nearly every major technology stack in existence.
While defenders were busy unwrapping gifts, a single threat actor was busy unwrapping vulnerabilities—generating over 2.5 million malicious requests in a matter of days.
The campaign first caught the eye of researchers due to a coordinated spike in exploitation attempts against Adobe ColdFusion servers. The attacker systematically targeted over 10 different vulnerabilities (CVEs) from 2023 and 2024 to breach these systems.
However, as analysts dug deeper, the scope exploded.
“Further analysis revealed the ColdFusion campaign represents a small fraction of a much larger operation,” the report states. “The two primary IPs (134.122.136.119, 134.122.136.96) generated over 2.5 million requests targeting 767 distinct CVEs across 47+ technology stacks”.
The operation appears to be highly centralized. GreyNoise attributed the attack to a “single threat actor operating from Japan-based infrastructure,” specifically identifying the hosting provider CTG Server Limited as the launchpad.
This single source was shockingly prolific, responsible for approximately 98% of the attack traffic observed during the period. The infrastructure leveraged nearly 10,000 unique Interactsh OAST domains, a technique used to confirm successful exploits by tricking a target server into connecting back to a domain controlled by the attacker.
The sheer breadth of the target list suggests an automated “spray and pray” tactic designed to harvest access credentials and webshells from any vulnerable device connected to the internet. The campaign targeted 47+ distinct technology stacks, including:
- Java Application Servers: Tomcat, WebLogic, JBoss (132,113 requests)
- Web Frameworks: Apache, Struts, Spring (91,253 requests)
- CMS Platforms: WordPress, Joomla, Drupal (72,711 requests)
- Network Devices: Cisco, Netgear, F5, D-Link (36,355 requests)
The attackers weren’t just looking for servers; they were hunting for surveillance systems (Dahua, Hikvision) and enterprise monitoring tools (Nagios, Grafana) as well.
While the campaign cast a wide net, certain vulnerabilities were smash hits. The report highlights that Reconnaissance made up 56.4% of the activity, followed by direct CVE Exploits at 17.1%.
Among the most abused vulnerabilities were:
- CVE-2023-26360: An Adobe ColdFusion Remote Code Execution (RCE) flaw.
- CVE-2017-9841: A critical RCE in PHPUnit.
- CVE-2018-11776: A notorious Apache Struts 2 RCE.
“This appears to be a broad, well-coordinated initial access broker campaign,” GreyNoise concluded, warning that the compromised systems could soon be sold off to ransomware gangs or other cybercriminals for secondary attacks.
Donate