Citrix ADC (NetScaler) Gateway infrastructure has been the target of a coordinated worldwide reconnaissance campaign This article explores discovered residential proxies. . Several security telemetry sources claim that attackers initiated a thorough scan to find authentication panels and count software versions, which is a clear indication of pre-exploitation activity.

According to GreyNoise analysts, the campaign produced 111,834 sessions from more than 63,000 distinct IP addresses, with 79% of that traffic going directly to Citrix Gateway honeypot systems. This volume confirms a purposeful reconnaissance operation rather than opportunistic scanning because it significantly surpasses typical background internet noise. Residential Proxies for Phased Reconnaissance There were two distinct phases to the campaign. Over 109,942 scanning sessions were recorded during the first, known as the Login Panel Discovery Phase, which attempted to connect to the /logon/LogonPoint/index.html login page.

One Target, Two Campaigns Researchers discovered that residential proxies from various nations, such as Vietnam, Argentina, Mexico, Algeria, and Iraq, accounted for 64% of IPs. Because their addresses looked like real consumer ISP endpoints, these proxies were especially good at getting around IP reputation filters and geoblocking. Remarkably, 36% of requests were associated with a Prometheus blackbox-exporter user agent and came from a single Microsoft Azure IP located in Canada.

Attribution and correlation were made more difficult by the distinct browser fingerprints and user-agent strings that each IP in the proxy rotation carried. Ten AWS instances conducted a focused six-hour scanning burst on February 1, 2026, as part of the second stage, a Version Disclosure Phase. In order to investigate Citrix Endpoint Analysis (EPA) component versions, these systems sent 1,892 requests to the /epa/scripts/win/nsepa_setup.exe path.

Near 2:00 UTC, traffic peaked at 362 sessions, and it quickly decreased after 5:00 UTC. Each AWS source shared the same HTTP headers and used an out-of-date Chrome 50 user agent from 2016, indicating that a single actor orchestrated the scan using disposable cloud instances. Infrastructure for Mode Sessions Source IPs Discovery Login Panel 109,942 63,189 Azure + Residential proxies Version Disclosure 1,892 10 AWS us_west_1/us_west_2 According to GreyNoise investigators, this activity is associated with reconnaissance that facilitates the development of exploits against known vulnerabilities in Citrix ADC and Gateway versions.

Potential vulnerability validation or version-specific exploit testing is implied by the sampling of EPA setup paths. Attacks have already taken advantage of recent Citrix vulnerabilities like CVE-2025-5777 (CitrixBleed 2) and CVE-2025-5775, a remote code execution flaw.

In order to prepare for similar campaigns, security teams should assume that adversaries are mapping environments. Defenders are asked to: Keep an eye out for "blackbox-exporter" user agents coming from unauthorized sources. Notify /epa/scripts/win/nsepa_setup.exe of HTTP requests.

Monitor quick enumeration attempts against paths ending in /logon/LogonPoint/. Recognize HEAD requests made to Citrix Gateway endpoints. Use outdated browser fingerprints, such as Chrome 50, to identify access patterns. Administrators should remove banner or error message version disclosures, enforce authentication for the /epa/scripts/ directory, and limit Citrix Gateway systems' exposure to the internet.

Reconnaissance visibility can be further decreased by keeping an eye out for connections from unexpected geographic areas or residential ISP ranges. Compromise Indicators (IOCs) AWS Version Disclosure: 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56, 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162 Azure Login Panel: 52.139.3.76