Ethical Hacking News
GreyNoise has uncovered a coordinated Citrix Gateway reconnaissance campaign using 63K+ residential proxies and AWS. This operation targeted login panels, enumerated versions, and mapped infrastructure before potential attacks. Understanding this threat is crucial for organizations to develop effective countermeasures and enhance their security posture.
The GreyNoise security firm discovered a reconnaissance campaign targeting Citrix Gateway infrastructure using 63,000+ residential proxies and AWS scalability. The campaign mapped Citrix ADC and NetScaler Gateways between January 28 and February 2, 2026, employing sophisticated tools to bypass geofencing and reputation filters. The attack generated 111,834 sessions from over 63,000 unique source IPs, with 79% targeting Citrix Gateway honeypots, indicating a deliberate infrastructure mapping strategy. The attackers used residential proxies, leveraging one large Azure IP for a significant portion of their traffic, and thousands of legitimate consumer IPs worldwide to bypass geofencing and reputation filters. The campaign's success was due to the coordination and planning between different tools and infrastructure, indicating a shared framework or toolset used by the attackers. Organizations are advised to monitor unusual user agents, rapid login enumeration, outdated browser fingerprints, and external access to sensitive paths for signs of this malicious activity. To counter such threats, defense strategies include limiting exposure, enforcing authentication, suppressing version information, and flagging suspicious regional traffic.
GreyNoise, a renowned security firm specializing in threat intelligence and incident response, has recently discovered an extraordinary reconnaissance campaign conducted by adversaries targeting Citrix Gateway infrastructure. This meticulously crafted operation leveraged an astonishing 63,000+ residential proxies, paired with the scalability of Amazon Web Services (AWS), to scour the digital realm for login panels and enumerate versions.
According to a detailed report published on February 4, 2026, by GreyNoise, the reconnaissance campaign in question unfolded between January 28 and February 2, 2026. During this period, the attackers meticulously mapped Citrix ADC and NetScaler Gateways, employing an arsenal of sophisticated tools to bypass geofencing and reputation filters.
The reconnaissance effort was notable for its sheer scale, with the attackers generating 111,834 sessions from over 63,000 unique source IPs. A staggering 79% of these sessions targeted Citrix Gateway honeypots, pointing towards a deliberate infrastructure mapping strategy rather than opportunistic crawling.
To achieve this, the adversaries relied heavily on residential proxies, leveraging one large Azure IP for a significant portion of their traffic. The remaining traffic was sourced from thousands of legitimate consumer IPs worldwide, each sporting a unique browser fingerprint that enabled the attackers to bypass geofencing and reputation filters.
The login discovery component of the reconnaissance campaign relied heavily on these residential proxies, showcasing an impressive level of coordination and planning. In contrast, the version check aspect of the operation employed six hours of focused activity spanning 10 AWS IPs, all using a shared Chrome fingerprint.
Interestingly, the attackers opted for VPN tunnels and jumbo frame settings to route their traffic through datacenter-level network settings, further underscoring the level of sophistication involved in this reconnaissance campaign. TCP analysis revealed different infrastructure setups, yet a shared framework: Azure traffic utilized VPN tunnels, residential scans passed through Linux proxies, and AWS scans required specialized datacenter-level network settings.
This shared framework indicates that the attackers employed a common toolset or library underlying their operational compartmentalization. This is crucial to understand, as it highlights the intricate connections between seemingly disparate tools and infrastructure.
The reconnaissance likely serves to map Citrix infrastructure before potential attacks, focusing on the EPA setup file path in an effort to discover vulnerabilities. Organizations are advised to monitor unusual user agents, rapid login enumeration, outdated browser fingerprints, and external access to sensitive paths for signs of this malicious activity.
To counter such threats, defense strategies include limiting exposure, enforcing authentication, suppressing version information, and flagging suspicious regional traffic. This delicate balance between security and operational efficiency is a constant challenge faced by organizations worldwide.
In conclusion, the recent reconnaissance campaign discovered by GreyNoise represents a significant milestone in the evolving landscape of cyber threats. By understanding the tactics, techniques, and procedures (TTPs) employed by these adversaries, we can gain valuable insights into the world of cybersecurity and develop more effective countermeasures to safeguard our digital assets.
Related Information:
https://www.ethicalhackingnews.com/articles/GreyNoise-Uncovers-Coordinated-Citrix-Gateway-Reconnaissance-Campaign-Using-63K-Residential-Proxies-and-AWS-ehn.shtml
https://securityaffairs.com/187615/hacking/greynoise-tracks-massive-citrix-gateway-recon-using-63k-residential-proxies-and-aws.html
https://www.bleepingcomputer.com/news/security/new-password-spraying-attacks-target-cisco-pan-vpn-gateways/
Published: Wed Feb 4 09:28:10 2026 by llama3.2 3B Q4_K_M
