Between January 28 and February 2, 2026, GreyNoise observed a large-scale, coordinated reconnaissance campaign targeting Citrix ADC Gateway and NetScaler Gateway infrastructure worldwide. This wasn’t random noise — data strongly points to deliberate mapping of exposed Citrix login panels and version enumeration, likely as a precursor to exploitation.
The Campaign at a Glance
Over 111,834 total sessions were observed originating from 63,000+ unique IPs, with a 79 % targeting rate specifically against Citrix Gateway honeypots — well above typical background internet scanning.
The activity split into two distinct yet complementary modes:
| Mode | Purpose | Sessions | Source Infrastructure | Target Path |
|---|---|---|---|---|
| Login Panel Discovery | Locate exposed Citrix login interfaces | 109,942 | Azure + Residential Proxies | /logon/LogonPoint/index.html |
| Version Enumeration Sprint | Enumerate Citrix build versions | 1,892 | AWS (us-west-1 & us-west-2) | /epa/scripts/win/nsepa_setup.exe |
This dual targeting — broad discovery plus focused version fingerprinting — shows clear reconnaissance objectives, not opportunistic scanning.
Tactics, Techniques & Infrastructure
Residential Proxy Abuse
- ~64 % of traffic originated from residential proxy IP ranges across countries such as Vietnam, Argentina, Mexico, Algeria, and Iraq, among others.
- Each IP typically issued only one session before rotating, with unique browser fingerprints — classic behavior for residential proxy pools used to evade reputation-based defenses and geofencing.
- These addresses appeared as legitimate consumer ISP IPs, complicating static reputation blocking.
Cloud-Hosted Scanning
- The remaining traffic came from cloud providers:
- A Microsoft Azure Canada IP was responsible for 36 % of login panel traffic using the Prometheus
blackbox-exporteruser agent. - Version enumeration requests came from 10 AWS IPs in a 6-hour burst centered around Feb 1, each using an old Chrome 50 user agent (circa 2016) and shared TCP fingerprints.
- A Microsoft Azure Canada IP was responsible for 36 % of login panel traffic using the Prometheus
This separation suggests distinct operational streams — broad discovery via proxies and targeted version probing from stable cloud infrastructure.
TCP/IP Fingerprint Insights
Network fingerprinting tells more than just IPs:
- Residential Proxies: appeared as Windows TCP stacks passing through Linux proxy hosts.
- Azure Scanner: exhibited a lowered Maximum Segment Size (MSS), indicating VPN/tunnel encapsulation.
- AWS Version Scanners: showed jumbo frame MSS values (~9000+ bytes) — only feasible in datacenter networks.
Despite these differences, identical TCP option ordering across all categories suggests a common underlying scanning framework or toolset.
Pre-Attack Signal
The focused targeting of:
/logon/LogonPoint/index.html(login panels), and/epa/scripts/win/nsepa_setup.exe(EPA setup version artifacts)
strongly indicates infrastructure mapping designed to feed downstream exploitation efforts, such as version-targeted vulnerabilities and pre-attack discovery of exposed gateways.
(Other reporting highlights that similar campaigns often precede exploitation spikes — e.g., Citrix-related recon observed recently in industry reports on scanning waves using tens of thousands of residential proxies. )
IOCs — Indicators of Compromise
Version Disclosure Sources (AWS)
44.251.121[.]19013.57.253[.]350.18.232[.]8552.36.139[.]22354.201.20[.]5654.153.0[.]16454.176.178[.]1318.237.26[.]18854.219.42[.]16318.246.164[.]162
Login Panel Discovery (Azure)
52.139.3[.]76
GreyNoise Tags Observed
- Citrix ADC Gateway Login Panel Crawler
- Citrix NetScaler Gateway Version Disclosure
Defensive Guidance
GreyNoise recommends that defenders treat this activity as a credible pre-attack signal and tighten posture accordingly:
Detection Opportunities
- Alert on any external access to the EPA setup path (
/epa/scripts/win/nsepa_setup.exe). - Flag rapid enumeration of
/logon/LogonPoint/patterns that don’t align with normal user behavior. - Monitor for HEAD requests to Citrix Gateway endpoints as an early indicator of scanning.
- Watch for legacy user agents (e.g., Chrome 50) originating from untrusted or unknown sources.
- Detect
blackbox-exporteruser agents coming from unexpected addresses.
Hardening Practices
- Review the need for internet-facing Citrix Gateways; limit exposure where possible.
- Restrict external access to the
/epa/scripts/directory with authentication controls. - Configure Citrix devices to suppress version disclosure in HTTP responses to make version fingerprinting harder.
- Flag and potentially block suspicious traffic from residential ISP ranges, especially in geografies that normally shouldn’t access your infrastructure.
Summary
This GreyNoise Labs Grimoire entry highlights a strategically significant reconnaissance campaign against Citrix ADC and NetScaler Gateways using a combination of residential proxy networks and cloud hosts. The purpose appears to be twofold:
- Locate exposed login interfaces, and
- Enumerate version footprints that could inform later exploitation.
This kind of reconnaissance — deliberate, high volume, and distributed — should be treated as a pre-attack mapping phase, not mere background scanning noise. Defenders should strengthen detection and access controls accordingly.
