This is not an ad -- the "http://" in the first (path) line tries to invoke HTTP proxy functionality. An open proxy would establish connection to the attacker's site and post the data there.
Once attacker has gathered list of open proxies, it would use those proxies for bypassing password guessing limits, illegal scraping, and ad fraud.
True, but that unfortunate dude who spends his time manually analyzing httpd logs like he sees them for the first time failed to capture an URL path which should be hex encoded data packet like "7220e1df2f7b7f3e1473727de3923ab467d2a4ad54be051e1a251fe2cc01e9a0f293702a9b198e8cbbbf1aaed2e7bf0c617cdcf2993c67a346c671a658a67e2d0130d56fd876f560c8f3441f6d4562a3539d8fd523f060e98262d9c562ed2346"
content is unknown but validated at server side and if valid causes to emit crude JSON with "anonymity" and "realip" fields.
I'd say its too strong to call such humble (and quite crude by the number of reasons) proxy probes malicious or attacker's. Every HTTP server gets literally tons of these.
> 2021-04-25T17:00:00: POST http://***.best/
This is not an ad -- the "http://" in the first (path) line tries to invoke HTTP proxy functionality. An open proxy would establish connection to the attacker's site and post the data there.
Once attacker has gathered list of open proxies, it would use those proxies for bypassing password guessing limits, illegal scraping, and ad fraud.