Global Reconnaissance Campaign Targets Citrix ADC and Gateway Systems

Listen to this Post

Featured Image
A massive, coordinated global scanning operation has recently been observed targeting Citrix ADC (NetScaler) Gateway infrastructure, signaling a serious pre-exploitation reconnaissance effort. Cybersecurity analysts warn that this activity is not ordinary internet noise but a deliberate attempt to map vulnerable systems, likely in preparation for future attacks. By leveraging a mix of residential proxies and cloud instances, threat actors are probing login portals and endpoint components at unprecedented scale, making attribution and detection significantly harder.

The campaign, detected by multiple telemetry sources and analyzed by GreyNoise, generated over 111,834 scanning sessions from more than 63,000 unique IP addresses, with 79% of traffic targeting Citrix Gateway honeypots. Such a volume far surpasses typical background scanning and clearly indicates an organized operation rather than opportunistic probing.

Phased Reconnaissance Operation

Researchers identified two distinct phases in this campaign:

1. Login Panel Discovery Phase

This initial phase focused on enumerating Citrix login panels. Over 109,942 sessions targeted the /logon/LogonPoint/index.html login page. Notably, 64% of IPs originated from residential proxies in countries such as Vietnam, Argentina, Mexico, Algeria, and Iraq, enabling attackers to bypass IP filters and geoblocks. One Microsoft Azure IP in Canada accounted for 36% of requests, using the Prometheus blackbox-exporter user agent. Each proxy used unique browser fingerprints and user agents, further complicating correlation and attribution.

2. Version Disclosure Phase

On February 1, 2026, the attackers shifted focus to Citrix Endpoint Analysis (EPA) components. Ten AWS instances executed 1,892 requests to /epa/scripts/win/nsepa_setup.exe over a six-hour burst, peaking at 362 sessions around 02:00 UTC. All AWS sources shared identical outdated Chrome 50 user agents and HTTP headers, strongly suggesting a single orchestrator deploying disposable cloud instances for scanning.

Mode Sessions Source IPs Infrastructure

Login Panel Discovery 109,942 63,189 Azure + Residential Proxies

Version Disclosure 1,892 10 AWS us-west-1/us-west-2

Implications and Vulnerability Context

Security researchers link these scans to potential exploit development targeting known Citrix vulnerabilities, including CVE-2025-5777 (CitrixBleed 2) and CVE-2025-5775 (remote code execution). The focus on EPA setup paths suggests version validation and testing for targeted exploits.

Organizations using Citrix Gateway are urged to implement defensive measures, including:

Monitoring for blackbox-exporter user agents from unknown sources.

Alerting on requests to /epa/scripts/win/nsepa_setup.exe.

Detecting rapid login enumeration attempts to /logon/LogonPoint/.

Flagging access using outdated browser fingerprints like Chrome 50.

Restricting internet exposure, enforcing authentication on sensitive directories, and hiding software version disclosures.

Monitoring traffic from residential ISP ranges and unusual geographies can significantly reduce the effectiveness of reconnaissance.

Indicators of Compromise (IOCs)

Version Disclosure – AWS: 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56, 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162

Login Panel – Azure: 52.139.3.76

What Undercode Say:

This Citrix-focused reconnaissance campaign highlights how threat actors are escalating sophistication in pre-exploitation tactics. By combining residential proxies and disposable cloud instances, attackers make it extremely difficult for defenders to rely solely on IP-based filtering or geolocation blocks. Residential proxies, in particular, are a clever choice—they mimic legitimate consumer traffic, helping evade detection while delivering massive scanning volume.

The use of staged phases also shows methodical planning. Initial login panel discovery allows attackers to map active endpoints, while the second phase targets version-specific vulnerabilities for potential exploitation. This aligns with previous trends in Citrix attacks, such as CitrixBleed 2, emphasizing the need for continuous monitoring and patch management.

Furthermore, the campaign illustrates operational discipline: disposable cloud instances ensure that a single IP compromise or block doesn’t impede the overall reconnaissance effort. Using outdated browser fingerprints (Chrome 50) might seem sloppy, but in reality, it mimics long-standing corporate environments, potentially bypassing some heuristics used by security teams.

Administrators should adopt a defense-in-depth strategy, combining endpoint monitoring, behavioral analytics, and proactive logging of unusual patterns. Simple fixes like restricting internet exposure, enforcing authentication on sensitive endpoints, and obfuscating version information can dramatically reduce reconnaissance efficiency. This incident underlines that attacks are no longer opportunistic; sophisticated reconnaissance is a prelude to targeted exploitation.

Fact Checker Results:

✅ GreyNoise reports confirmed 111,834 sessions from 63,000+ IPs, consistent with large-scale scanning campaigns.
✅ Two-phase reconnaissance using residential proxies and cloud instances matches telemetry data and threat analysis.
❌ No evidence suggests that exploitation occurred yet; activity remains reconnaissance, though high-risk.

Prediction:

Given the scale and sophistication of this campaign, targeted attacks against Citrix ADC and Gateway systems are likely imminent. Organizations that delay patching or fail to monitor unusual login and EPA endpoint access could face remote code execution attempts in the coming months. Proactive defenses and threat hunting across residential IP ranges may prevent the next wave of exploits. ⚠️🔍

If you want, I can also create a visual timeline chart showing the two-phase scanning activity to make this report even more reader-friendly and impactful.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon