A massive Citrix Gateway reconnaissance campaign has been uncovered, and it's a sophisticated operation. GreyNoise has detected a dual-pronged attack that's raising eyebrows in the cybersecurity community.
Here's the scoop: From January 28 to February 2, 2026, a coordinated campaign was launched to probe Citrix ADC and NetScaler Gateways. The attackers employed a staggering 63,000+ residential proxies to locate login panels, then swiftly transitioned to AWS infrastructure to identify versions across an astonishing 111,000+ sessions.
But here's where it gets controversial: The campaign's precision was remarkable. Out of over 63,000 IPs, 79% targeted Citrix Gateway honeypots, suggesting a deliberate and targeted approach rather than random scanning. This level of specificity is a red flag for security experts.
The GreyNoise report reveals fascinating details: "111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots." This precision indicates a well-planned infrastructure mapping strategy.
The attackers' tactics were diverse. One campaign scanned the web for login panels, while another swiftly checked software versions, showcasing a coordinated effort. Interestingly, the login discovery relied on residential proxies, with one large Azure IP handling significant traffic and thousands of legitimate consumer IPs worldwide contributing the rest. Each IP had a unique browser fingerprint, a clever tactic to evade detection.
And this is the part most people miss: The version check was swift, lasting just six hours and originating from 10 AWS IPs with an old Chrome fingerprint. This rapid response suggests the attackers were quick to act once they found vulnerable targets.
The infrastructure used was intricate. The Azure scanner routed traffic through VPNs with modified settings, while residential proxies from Windows devices were routed through Linux proxies to mimic consumer traffic. AWS scanners used advanced network settings, confirming dedicated infrastructure usage.
TCP analysis reveals a common thread despite different infrastructure setups. All campaigns shared TCP traits, implying the use of the same tools or framework.
The big question: Was this reconnaissance a prelude to a targeted attack? The report suggests so, emphasizing the targeting of EPA setup files for potential exploits. Organizations should be vigilant, monitoring for suspicious activity like unusual user agents and outdated browser fingerprints.
Stay tuned as the cybersecurity community delves deeper into this complex campaign. Share your thoughts: Is this a new trend in cyberattacks, or a one-off incident? Let's discuss in the comments!
