Wave of Citrix NetScaler Scans Use Thousands of Residential Proxies
Summary:
Between January 28 and February 2, 2026, security firm GreyNoise observed a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateway infrastructure, employing a combination of 63,000+ residential proxies and AWS-hosted IP addresses to conduct large-scale mapping and version enumeration. The operation ran in two complementary phases: the first, a massive distributed login panel discovery campaign, generated 109,942 sessions to locate and catalog exposed login portals; the second, a smaller but intensive version disclosure sprint, carried out 1,892 requests over a concentrated six-hour window to gather detailed software version information from Citrix Endpoint Analysis (EPA) setup files. In total, the campaign executed 111,834 sessions, with 79% of traffic hitting Citrix Gateway honeypots, far exceeding typical scanning noise and strongly suggesting a deliberate, targeted mapping effort rather than opportunistic crawling. The attackers combined sophisticated techniques such as residential IP rotation, user agent spoofing, and precise timing of scans to evade detection while systematically enumerating login panels and version information.
Security Officer Comments:
The attackers’ use of residential proxies allowed them to bypass traditional geographic blocking and reputation-based filtering. By leveraging thousands of unique IPs from consumer ISPs across multiple countries, each with distinct browser fingerprints, the campaign appeared as legitimate traffic from real users rather than automated scanners. Unlike cloud or datacenter IPs, which are easier to block or flag, these residential addresses blend in with normal user behavior, making it difficult for defenders to prevent reconnaissance without risking disruption to legitimate customers.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...r-scans-use-thousands-of-residential-proxies/
Between January 28 and February 2, 2026, security firm GreyNoise observed a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateway infrastructure, employing a combination of 63,000+ residential proxies and AWS-hosted IP addresses to conduct large-scale mapping and version enumeration. The operation ran in two complementary phases: the first, a massive distributed login panel discovery campaign, generated 109,942 sessions to locate and catalog exposed login portals; the second, a smaller but intensive version disclosure sprint, carried out 1,892 requests over a concentrated six-hour window to gather detailed software version information from Citrix Endpoint Analysis (EPA) setup files. In total, the campaign executed 111,834 sessions, with 79% of traffic hitting Citrix Gateway honeypots, far exceeding typical scanning noise and strongly suggesting a deliberate, targeted mapping effort rather than opportunistic crawling. The attackers combined sophisticated techniques such as residential IP rotation, user agent spoofing, and precise timing of scans to evade detection while systematically enumerating login panels and version information.
Security Officer Comments:
The attackers’ use of residential proxies allowed them to bypass traditional geographic blocking and reputation-based filtering. By leveraging thousands of unique IPs from consumer ISPs across multiple countries, each with distinct browser fingerprints, the campaign appeared as legitimate traffic from real users rather than automated scanners. Unlike cloud or datacenter IPs, which are easier to block or flag, these residential addresses blend in with normal user behavior, making it difficult for defenders to prevent reconnaissance without risking disruption to legitimate customers.
Suggested Corrections:
- Review external Citrix Gateway exposure; validate business need for internet-facing deployments
- Implement authentication requirements for /epa/scripts/ directory
- Configure Citrix Gateways to suppress version disclosure in HTTP responses
- Flag access anomalies from residential ISPs in unexpected regions
https://www.bleepingcomputer.com/ne...r-scans-use-thousands-of-residential-proxies/