VERY IMPORTANT

A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional focus. The operation involves roughly 1,400 exploit attempts spanning more than 200 CVEs. The attacker uses a private OAST domain, detectors-testing.com, which has been active for at least a year. The infrastructure is hosted on US-based Google Cloud, providing practical benefits for the attacker. The actor demonstrates willingness to modify common exploit components, as evidenced by a custom Fastjson payload. This sustained scanning effort suggests a more structured operation than typical exploit spraying.