Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

GreyNoise tracks massive Citrix Gateway recon using 63K+ residential proxies and AWS

GreyNoise spotted a dual-mode Citrix Gateway recon campaign using 63K+ residential proxies and AWS to find login panels and enumerate versions. Between Jan 28 and Feb 2, 2026, GreyNoise tracked a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateways. Attackers used over 63,000 residential proxies to discover login panels, then switched to AWS infrastructure […]

Citrix NetScaler CVE-2026-3055

GreyNoise spotted a dual-mode Citrix Gateway recon campaign using 63K+ residential proxies and AWS to find login panels and enumerate versions.

Between Jan 28 and Feb 2, 2026, GreyNoise tracked a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateways. Attackers used over 63,000 residential proxies to discover login panels, then switched to AWS infrastructure to aggressively enumerate exposed versions across more than 111,000 sessions.

The activity logged 111,834 sessions from over 63,000 IPs, with 79% aimed at Citrix Gateway honeypots, pointing to targeted infrastructure mapping rather than random crawling.

“The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically.” reads the report published by GreyNoise. “That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling.”

Two related campaigns targeted Citrix infrastructure just before February 1, 2026. One scanned the web to find login panels, while the other quickly checked software versions, showing a coordinated reconnaissance effort.

The login discovery relied heavily on residential proxies. Attackers used one large Azure IP for a big chunk of traffic, but the rest came from thousands of legitimate consumer IPs worldwide. Each IP had a unique browser fingerprint, helping them bypass geofencing and reputation filters.

The version check ran over six hours from 10 AWS IPs using the same old Chrome fingerprint. The rapid, focused activity suggests the attackers acted fast after finding potential targets.

The Azure scanner routed traffic through VPNs and tunnels with a slightly smaller-than-normal MSS, showing careful operational security. Residential proxies came from Windows devices but passed through Linux proxies, blending consumer traffic. AWS version scanners used jumbo frame settings only possible in datacenters, confirming they relied on dedicated infrastructure rather than consumer networks.

TCP analysis shows different infrastructure setups but a shared framework: Azure traffic used VPN tunnels, residential scans went through Linux proxies, and AWS scans required datacenter-level network settings. All shared TCP traits indicate the same underlying tools across campaigns.

“Despite different infrastructure types, all fingerprints share identical TCP option ordering, which is an indicator of common tooling or framework underneath the operational compartmentalization.” continues the report.

The reconnaissance likely maps Citrix infrastructure before attacks, targeting EPA setup files for potential exploits. Organizations should monitor unusual user agents, rapid login enumeration, outdated browser fingerprints, and external access to sensitive paths. Defense includes limiting exposure, enforcing authentication, suppressing version info, and flagging suspicious regional traffic.

“This reconnaissance activity likely represents infrastructure mapping before exploitation. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.” concludes the report that includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)