A large-scale reconnaissance campaign targeting Citrix ADC Gateway and NetScaler Gateway infrastructure was detected between January 28 and February 2, 2026, by the GreyNoise Global Observation Grid.
The coordinated operation combined residential proxy rotation for login panel discovery with concentrated AWS-hosted version disclosure scanning, generating over 111,834 sessions from more than 63,000 unique IP addresses.
The campaign demonstrates sophisticated infrastructure-mapping capabilities, achieving a 79% targeting rate against Citrix Gateway honeypots, significantly exceeding baseline scanning noise and indicating deliberate reconnaissance rather than opportunistic crawling.
Threat actors operated two complementary attack modes simultaneously, suggesting coordinated preparation for exploitation activities targeting known Citrix vulnerabilities.
The reconnaissance operation was split into two distinct but coordinated campaigns with different objectives and infrastructure profiles. The login panel discovery mode generated 109,942 sessions from 63,189 source IPs distributed across residential proxy networks and Azure infrastructure, specifically targeting the /logon/LogonPoint/index.html endpoint.
In contrast, the version disclosure campaign produced 1,892 sessions from just 10 AWS IP addresses concentrated in us-west-1 and us-west-2 regions, focusing on the /epa/scripts/win/nsepa_setup.exe file path.
Both campaigns were activated simultaneously just before February 1st and exclusively targeted Citrix infrastructure, with the complementary objectives of discovering exposed login panels and enumerating software versions.
Active Scans for Citrix NetScaler Login Panels
This dual-pronged approach mirrors tactics observed in previous Citrix exploitation campaigns where attackers mapped vulnerable instances before deploying exploits.
A single Microsoft Azure Canada IP address (52.139.3[.]76) generated 39,461 sessions representing 36% of all login panel traffic, using the Prometheus blackbox-exporter user agent string.
While this user agent can be spoofed and is easily detected, the remaining traffic originated from residential ISP networks across Vietnam, Argentina, Mexico, Algeria, Iraq, and numerous other countries, with each IP conducting only one session.
This residential proxy rotation technique employs unique browser fingerprints for each connection, enabling continuous cycling of both IP addresses and user agent strings.
These legitimate consumer ISP addresses bypass geographic blocking and reputation filtering systems because organizations are reluctant to block potential customer traffic.
The distributed nature makes detection and mitigation significantly more challenging than traditional scanning campaigns.
The version disclosure component executed a focused six-hour scanning sprint on February 1st, with 10 AWS IP addresses firing 1,892 requests targeting the Citrix Endpoint Analysis setup file.
The campaign peaked at 02:00 UTC with 362 sessions, beginning at 00:00 UTC with 192 sessions, and concluding at 05:00 UTC with 283 sessions. All 10 source IPs used an identical Chrome 50 user agent from 2016 and shared uniform HTTP fingerprint characteristics.
The rapid onset and completion of this scanning sprint suggest a triggered event, potentially following the discovery of vulnerable EPA configurations or intelligence about specific deployment windows.
The targeting of version-specific files suggests interest in exploiting or validating vulnerabilities against known Citrix ADC and NetScaler Gateway weaknesses, including recent critical vulnerabilities such as CVE-2025-5777 (Citrix Bleed 2).
TCP-layer analysis exposed distinct infrastructure separation across the three attack components. The dominant Azure scanner displayed VPN/tunnel nested encapsulation with a reduced maximum segment size (MSS) 62 bytes below standard, demonstrating that operators routed scanning traffic through an additional network layer for operational security.
The distributed residential proxy traffic exhibited Windows TCP stack characteristics with maximum 16-bit window sizes routing through Linux-based proxy infrastructure, indicating Windows clients connecting through Linux proxy servers.
The AWS version scanners showed jumbo frame MSS values 45 times larger than standard Ethernet allows, requiring datacenter switching infrastructure with 9,000+ byte MTU support that is physically impossible on consumer networks.
Despite these different infrastructure types, all fingerprints shared identical TCP option ordering, indicating common tooling or frameworks underneath the operational compartmentalization. This suggests a single threat actor or coordinated group using modular scanning infrastructure adapted for different reconnaissance objectives.
This reconnaissance activity likely represents infrastructure mapping preceding active exploitation attempts. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses, particularly recent critical vulnerabilities enabling authentication bypass and remote code execution.
Organizations should implement immediate detection and defensive measures, including monitoring for blackbox-exporter user agents from non-authorized sources, alerting on external access to /epa/scripts/win/nsepa_setup.exe, and flagging rapid /logon/LogonPoint/ enumeration patterns. Additional indicators include HEAD requests to Citrix Gateway endpoints and outdated browser fingerprints such as Chrome 50 from 2016.
Defensive recommendations include reviewing external Citrix Gateway exposure to validate business need for internet-facing deployments, implementing authentication requirements for the /epa/scripts/ directory, and configuring Citrix Gateways to suppress version disclosure in HTTP responses. Organizations should also flag access anomalies from residential ISPs in unexpected geographic regions.
Indicators of Compromise
Version Disclosure Campaign (AWS Infrastructure):
- 44.251.121[.]190
- 13.57.253[.]3
- 50.18.232[.]85
- 52.36.139[.]223
- 54.201.20[.]56
- 54.153.0[.]164
- 54.176.178[.]13
- 18.237.26[.]188
- 54.219.42[.]163
- 18.246.164[.]162
Login Panel Discovery (Azure Infrastructure):
Organizations operating Citrix ADC Gateway or NetScaler Gateway infrastructure should immediately review access logs for connections from these IP addresses and implement enhanced monitoring for similar reconnaissance patterns.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
