Cybersecurity researchers at GreyNoise have identified a dramatic escalation in malicious scanning activities targeting Palo Alto Networks PAN-OS GlobalProtect login portals, with attacks originating from over 2,200 unique IP addresses as of October 7, 2025.
This represents a significant increase from the approximately 1,300 IPs initially observed on October 3, demonstrating the rapidly evolving nature of this coordinated campaign.
Sharp Increase in Attack Volume and Sophistication
The attack surge has shown remarkable persistence and growth over recent days, with security analysts documenting a sharp rise in the daily number of unique IP addresses conducting reconnaissance against Palo Alto login infrastructure.
The peak activity recorded on October 7 involved over 2,200 distinct IP addresses actively scanning for vulnerable GlobalProtect portals, indicating either a coordinated effort by multiple threat actors or a single sophisticated operation utilizing distributed infrastructure.
GreyNoise researchers have noted that the increasing diversity of Autonomous System Numbers (ASNs) involved in these scanning activities suggests broadening operator involvement.
This pattern indicates that multiple threat actors may be participating in the campaign, rather than a single coordinated group.
The researchers discovered that approximately 12 percent of all ASN11878 subnets have been allocated to scanning Palo Alto login portals, highlighting the extensive network infrastructure being leveraged for these attacks.
Security analysts believe the elevated pace of login attempts suggests threat actors are systematically iterating through a substantial dataset of compromised credentials.
This methodology is consistent with credential stuffing attacks, where cybercriminals leverage previously breached username and password combinations to attempt unauthorized access across multiple platforms and services.
To assist cybersecurity defenders in their response efforts, GreyNoise has published a comprehensive list of all unique usernames and passwords observed from Palo Alto login attempts during the past week.
This intelligence resource is available through their GitHub repository and provides valuable indicators for organizations to enhance their defensive postures.
The security firm has also produced an Executive Situation Report specifically designed for organizational decision-makers, offering strategic insights into the current threat landscape and recommended defensive measures.
This escalating attack pattern underscores the critical importance of implementing robust authentication mechanisms, monitoring login anomalies, and maintaining updated security protocols for internet-facing network infrastructure components.
Organizations utilizing Palo Alto Networks PAN-OS GlobalProtect should immediately review their authentication logs, implement additional monitoring for suspicious login activities, and consider enhancing their security postures with multi-factor authentication and geographic access restrictions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
