A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels and enumerate product versions.
A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels and enumerate product versions.
Between January 28 and February 2, threat monitoring platform GreyNoise observed scanning traffic originating from more than 63,000 distinct IP addresses that launched 111,834 sessions. The activity strongly indicates pre-exploitation infrastructure mapping rather than random internet scanning.
Observed reconnaissance activity Source: GreyNoise
The campaign focused heavily on Citrix Gateway honeypots, with 79% of the traffic aimed at these targets. What makes this campaign particularly concerning is the use of residential proxies - 64% of the traffic came from IPs spread across the globe that appeared as legitimate consumer ISP addresses, effectively bypassing reputation-based filtering systems.
The remaining 36% of traffic originated from a single Azure IP address, suggesting a hybrid approach to the scanning operation.
Two distinct scanning patterns emerged during the campaign:
The most active indicator generated 109,942 sessions from 63,189 unique IPs, targeting the authentication interface at
/logon/LogonPoint/index.htmlto identify exposed Citrix login panels at scale.A second indicator, observed on February 1st, involved a six-hour sprint with 10 IPs launching 1,892 sessions focused on the URL path
/epa/scripts/win/nsepa_setup.exeto enumerate Citrix versions via Endpoint Analysis (EPA) artifacts.
GreyNoise notes that the attacker employed a user agent for Chrome 50, released in early 2016. This outdated browser fingerprint, combined with the specific targeting of the EPA setup file path, suggests "interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses."
"The rapid onset and completion suggest a targeted scanning sprint that may have been triggered by discovery of vulnerable EPA configurations or intelligence about deployment windows," GreyNoise stated.
The timing of this campaign is particularly relevant given recent critical-severity flaws affecting Citrix products. CVE-2025-5777, known as 'CitrixBleed 2,' and CVE-2025-5775, a remote code execution vulnerability that was exploited as a zero-day, represent the most recent high-risk vulnerabilities in the Citrix ecosystem.
For organizations running Citrix infrastructure, GreyNoise has outlined several detection opportunities:
- Monitoring for the
blackbox-exporteruser agent originating from non-authorized sources - Alerting on external access to
/epa/scripts/win/nsepa_setup.exe - Flagging rapid enumeration of
/logon/LogonPoint/paths - Watching for HEAD requests against Citrix Gateway endpoints
- Tracking outdated browser fingerprints, specifically Chrome 50 (circa 2016)
Beyond detection, the researchers recommend several defensive measures:
- Review the necessity of internet-facing Citrix Gateways
- Restrict access to the
/epa/scripts/directory - Disable version disclosure in HTTP responses
- Monitor for anomalous access from residential ISPs in unexpected regions
This campaign demonstrates how threat actors are increasingly leveraging residential proxy networks to conduct reconnaissance operations that appear as legitimate consumer traffic. The scale and specificity of the scanning suggest preparation for potential exploitation of known Citrix vulnerabilities, making it critical for organizations using these products to review their exposure and implement appropriate security controls.
GreyNoise has shared the IP addresses used to launch the scanning activity with the security community to facilitate broader detection and response efforts.
Comments
Please log in or register to join the discussion