Citrix NetScaler Under Siege: 63,000+ IPs in Coordinated Recon Campaign

February 4, 2026 Faeem BLOGS 0

A wave of reconnaissance scans targeting Citrix NetScaler infrastructure has lit up threat monitoring platforms, revealing a highly coordinated effort using tens of thousands of residential proxies. The goal? Discover login panels and enumerate vulnerable versions—likely as a precursor to exploitation.

This isn’t random scanning. It’s targeted infrastructure mapping, and it’s happening at scale.

What GreyNoise Uncovered

Between January 28 and February 2, GreyNoise observed:

  • 111,834 sessions from 63,000+ unique IPs
  • 79% of traffic aimed at Citrix Gateway honeypots
  • 64% of traffic routed through residential proxies
  • Remaining traffic from a single Azure IP

📌 Insert image here Use a visual showing a Citrix login panel being scanned by global proxy IPs, with paths like /logon/LogonPoint/index.html and /epa/scripts/win/nsepa_setup.exe highlighted. This reinforces the scale and precision of the campaign.

Indicators of Malicious Intent

Two scanning patterns stood out:

  1. Mass targeting of /logon/LogonPoint/index.html
    • 109,942 sessions
    • 63,189 IPs
    • Goal: identify exposed login panels
  2. Sprint targeting /epa/scripts/win/nsepa_setup.exe
    • 1,892 sessions in 6 hours
    • Goal: enumerate Citrix versions via EPA artifacts

Attackers used a Chrome 50 user agent (from 2016), suggesting attempts to bypass filters or emulate legacy systems.

Detection & Defense Recommendations

GreyNoise advises defenders to:

  • Monitor for blackbox-exporter user agents from unauthorized sources
  • Alert on access to /epa/scripts/win/nsepa_setup.exe
  • Flag rapid hits on /logon/LogonPoint/ paths
  • Watch for HEAD requests to Citrix Gateway endpoints
  • Track outdated browser fingerprints (Chrome 50)

Hardening Tips

  • Review necessity of internet-facing Citrix Gateways
  • Restrict access to EPA script directories
  • Disable version disclosure in HTTP responses
  • Monitor for residential ISP traffic from unexpected regions

Why This Matters

With recent critical vulnerabilities like CitrixBleed 2 (CVE-2025-5777) and CVE-2025-5775, this scanning surge could be the early stage of a broader exploitation campaign.

Organizations running Citrix ADC or Gateway products should treat this as a pre-exploitation warning and act swiftly.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.