By Divya
Publication Date: 2026-02-04 09:02:00
A coordinated reconnaissance campaign targeting Citrix ADC (NetScaler) Gateway infrastructure worldwide.
The operation used over 63,000 residential proxy IPs and AWS cloud infrastructure to map login panels and enumerate software versions, a clear indicator of pre-exploitation preparation.
The scanning activity generated 111,834 sessions from more than 63,000 unique IP addresses, with 79% of traffic specifically aimed at Citrix Gateway honeypots.
This targeted approach far exceeds baseline internet scanning noise, indicating deliberate infrastructure mapping rather than opportunistic activity.
The campaign operated in two distinct phases, a massive distributed login panel discovery operation using residential proxy rotation and a concentrated version disclosure sprint hosted on AWS infrastructure.
Login Panel Discovery Phase
The primary phase involved 109,942 scanning sessions from 63,189 unique IPs targeting the /logon/LogonPoint/index.html authentication…
