Security researchers at GreyNoise have uncovered a massive spike in cyberattacks targeting Palo Alto Networks GlobalProtect VPN systems.
The assault began on November 14, 2025, and quickly escalated into a coordinated campaign striking millions of login portals worldwide.
Massive Attack Surge in Just 24 Hours
The attack intensity surged 40-fold in a single day, marking the highest activity level recorded in the past 90 days.
Since mid-November, threat actors have launched approximately 2.3 million malicious sessions targeting the /global-protect/login. ESP URI on Palo Alto PAN-OS and GlobalProtect systems.
This unprecedented volume signals a serious threat to enterprise security infrastructure globally.
GreyNoise researchers assess with high confidence that the same threat actor or group orchestrated this campaign.
Several technical indicators point to coordinated activity, including consistent TCP/JA4t signatures appearing across all malicious traffic.
Additionally, the attackers relied heavily on specific autonomous systems (ASNs). They demonstrated temporal patterns that matched those of previous related campaigns, suggesting a persistent and organized operation.
The campaign’s infrastructure remains highly concentrated in a few key locations.
Approximately 62 percent of all malicious sessions originated from AS200373 (3xK Tech GmbH), which is geolocated in Germany, making it the primary driver of the assault.
Another 15 percent of traffic from the same ASN appeared to originate in Canada, indicating that the attackers likely use a distributed hosting infrastructure.
Secondary traffic came from AS208885 (Noyobzoda Faridduni Saidilhom), forming a consistent but smaller contributor to the overall campaign.
The attackers cast a wide geographic net, with target countries receiving nearly equivalent attack volumes.
The United States, Mexico, and Pakistan emerged as the primary targets, suggesting either indiscriminate scanning or strategic targeting across multiple regions and industries.
Notably, GreyNoise research has identified a troubling historical pattern: brute-force spikes against Fortinet VPN systems typically precede actual vulnerability disclosures by approximately six weeks.
Security teams should remain vigilant, as this current escalation against Palo Alto systems may signal upcoming exploitation of vulnerabilities in the coming weeks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.