Hackers Actively Scanning Citrix NetScaler Infrastructure to Discover Login Panels

A large-scale reconnaissance campaign targeting Citrix ADC Gateway and NetScaler Gateway infrastructure was detected between January 28 and February 2, 2026, by the GreyNoise Global Observation Grid.

The coordinated operation combined residential proxy rotation for login panel discovery with concentrated AWS-hosted version disclosure scanning, generating over 111,834 sessions from more than 63,000 unique IP addresses.

The campaign demonstrates sophisticated infrastructure-mapping capabilities, achieving a 79% targeting rate against Citrix Gateway honeypots, significantly exceeding baseline scanning noise and indicating deliberate reconnaissance rather than opportunistic crawling.

Threat actors operated two complementary attack modes simultaneously, suggesting coordinated preparation for exploitation activities targeting known Citrix vulnerabilities.

The reconnaissance operation was split into two distinct but…