Threat Actors Conduct Widespread Scanning For Exposed Citrix NetScaler Login Pages

By Divya
Publication Date: 2026-02-04 09:02:00

A coordinated reconnaissance campaign targeting Citrix ADC (NetScaler) Gateway infrastructure worldwide.

The operation used over 63,000 residential proxy IPs and AWS cloud infrastructure to map login panels and enumerate software versions, a clear indicator of pre-exploitation preparation.

The scanning activity generated 111,834 sessions from more than 63,000 unique IP addresses, with 79% of traffic specifically aimed at Citrix Gateway honeypots.

This targeted approach far exceeds baseline internet scanning noise, indicating deliberate infrastructure mapping rather than opportunistic activity.

The campaign operated in two distinct phases, a massive distributed login panel discovery operation using residential proxy rotation and a concentrated version disclosure sprint hosted on AWS infrastructure.

The primary phase involved 109,942 scanning sessions from 63,189 unique IPs targeting the /logon/LogonPoint/index.html authentication…

Facebook
Twitter
Pinterest
LinkedIn
Digg
Tumblr
Reddit
Buffer
Blogger
Newsvine
HackerNews
Flipboard
Share
LiveJournal
Yammer
Mix
Instapaper
Copy Link
Mastodon

Login Panel Discovery Phase

Related Posts