Hackers Actively Scan Citrix NetScaler Infrastructure to Identify Exposed Login Panels

A coordinated global reconnaissance campaign has been observed targeting Citrix ADC (NetScaler) Gateway infrastructure.

According to multiple security telemetry sources, attackers launched a massive scan aimed at discovering authentication panels and enumerating software versions, a strong sign of pre‑exploitation activity.

GreyNoise analysts reported the campaign generated 111,834 sessions originating from over 63,000 unique IP addresses, with 79% of that traffic specifically directed at Citrix Gateway honeypot systems.

This volume far exceeds normal background internet noise, confirming a deliberate reconnaissance operation rather than opportunistic scanning.

Phased Reconnaissance Using Residential Proxies

The campaign operated in two distinct phases. The first, dubbed the Login Panel Discovery Phase, recorded over 109,942 scanning sessions attempting connections to the /logon/LogonPoint/index.html login page.

Researchers…