A coordinated reconnaissance campaign targeting Citrix ADC (NetScaler) Gateway infrastructure worldwide.
The operation used over 63,000 residential proxy IPs and AWS cloud infrastructure to map login panels and enumerate software versions, a clear indicator of pre-exploitation preparation.
The scanning activity generated 111,834 sessions from more than 63,000 unique IP addresses, with 79% of traffic specifically aimed at Citrix Gateway honeypots.
This targeted approach far exceeds baseline internet scanning noise, indicating deliberate infrastructure mapping rather than opportunistic activity.
The campaign operated in two distinct phases, a massive distributed login panel discovery operation using residential proxy rotation and a concentrated version disclosure sprint hosted on AWS infrastructure.
Login Panel Discovery Phase
The primary phase involved 109,942 scanning sessions from 63,189 unique IPs targeting the /logon/LogonPoint/index.html authentication interface.
Approximately 64% of this traffic originated from residential proxies distributed across Vietnam, Argentina, Mexico, Algeria, Iraq, and other countries.
A single Microsoft Azure IP address in Canada accounted for 36% of traffic, as reported by the Prometheus blackbox-exporter user agent.
Residential proxies enabled threat actors to bypass geographic blocking and reputation-based filtering because these IPs appear as legitimate consumer ISP addresses.
Each IP used unique browser fingerprints, allowing effective rotation of both addresses and user agent strings.
On February 1, 2026, ten AWS instances launched a focused six-hour scanning sprint, sending 1,892 requests to /epa/scripts/win/nsepa_setup.exe to enumerate Citrix Endpoint Analysis (EPA) versions.
Activity peaked at 362 sessions around 02:00 UTC before tapering off by 05:00 UTC.
All 10 source IPs used the same Chrome 50 user agent from 2016 and shared uniform HTTP fingerprint characteristics.
| Mode | Sessions | Source IPs | Infrastructure |
|---|---|---|---|
| Login Panel Discovery | 109,942 | 63,189 | Azure + residential proxies |
| Version Disclosure | 1,892 | 10 | AWS us-west-1/us-west-2 |
The rapid onset and completion suggest the discovery of vulnerable EPA configurations or intelligence about deployment windows may have triggered this phase.
GreyNoise researchers noted that targeting the EPA setup file path suggests interest in developing version-specific exploits or validating vulnerabilities against known Citrix ADC weaknesses.
Recent critical-severity vulnerabilities affecting Citrix products include CVE-2025-5777 (dubbed “CitrixBleed 2”) and CVE-2025-5775, a remote code execution flaw exploited as a zero-day.
Detection and Defense
GreyNoise provided several detection opportunities for this reconnaissance activity:
- Monitor for blackbox-exporter user agent from non-authorized sources
- Alert on external access to /epa/scripts/win/nsepa_setup.exe
- Flag rapid enumeration patterns against /logon/LogonPoint/ paths
- Watch for HEAD requests to Citrix Gateway endpoints
- Track outdated browser fingerprints, specifically Chrome 50 from 2016
Defensive recommendations include reviewing the business necessity of internet-facing Citrix Gateway deployments, implementing authentication requirements for the /epa/scripts/ directory, configuring Citrix Gateways.
To suppress version disclosure in HTTP responses, and monitor for access anomalies from residential ISPs in unexpected geographic regions.
IOCs
Primary IPs (Version Disclosure – AWS):
- 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56
- 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162
Primary IP (Login Panel – Azure):
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
