Attackers launch dual campaign on GlobalProtect portals and SonicWall APIs

A hacking campaign is targeting GlobalProtect logins and scannig SonicWall APIs since December 2, 2025.

A campaign began on December 2 targeting Palo Alto GlobalProtect portals with login attempts and scanning SonicWall SonicOS API endpoints. The activity came from over 7,000 IPs tied to German hosting provider 3xK GmbH, which operates its own BGP network (AS200373).

“On 2 December 2025, GreyNoise observed a concentrated spike of 7,000+ IPs attempting to log into Palo Alto Networks GlobalProtect portals. All activity originated from infrastructure operated by 3xK GmbH and targeted two Palo Alto profiles in GreyNoise’s Global Observation Grid (GOG).” reads the report published by the threat intelligence firm GreyNoise.

GlobalProtect is Palo Alto Networks’ VPN and secure remote-access solution. It gives users a protected connection to their organization’s network by routing their traffic through a Palo Alto firewall, which applies the same security controls used inside the corporate environment. According to the threat intelligence firm GreyNoise, the campaign targeted two Palo Alto profiles.

The December traffic reuses three client fingerprints previously seen in a late-September to mid-October wave. That earlier surge came from four typically non-malicious ASNs (NForce Entertainment, Data Campus, Flyservers, and Internet Solutions & Innovations) which generated over 9 million legitimate HTTP sessions, mostly hitting GlobalProtect portals and authentication endpoints. The reappearance of identical fingerprints on new infrastructure signals consistent tooling across seemingly separate events.

GreyNoise saw a major spike in scans against SonicWall SonicOS APIs on December 3, showing the same three client fingerprints tied to the December 2 GlobalProtect login surge and the September-October brute-force wave.

Despite shifting infrastructure and different targets, the identical fingerprints point to the same underlying tooling.

GreyNoise also observed that a surge of scans against SonicWall SonicOS API endpoints on 3 December carried the same three client fingerprints previously seen in the 2 December GlobalProtect login spike and in the large September–October brute-forcing campaign. The researchers pointed out that although the infrastructure and targeted vendors are different, the identical fingerprints reveal continuity in the attacker’s tooling. Telemetry shows a clear rhythm: intense login and brute-force activity from clean ASNs between late September and mid-October, a slowdown through late November, then the same client resurfacing on 3xK’s infrastructure on 2 December to probe Palo Alto portals, followed the next day by SonicWall API scans. GreyNoise Block users can automatically block all associated IPs through provided templates for Palo Alto and SonicWall activity, with enterprise customers able to apply more granular blocklists based on ASNs, JA4, and geography.

“defenders should:

• Monitor authentication surfaces for abnormal velocity or repeated failures. 
• Track recurring client fingerprints to surface campaign continuity. 
• Apply dynamic, context-aware blocking rather than static reputation lists.” concludes the report. 

“Fingerprint-level telemetry exposes cross-infrastructure relationships that defenders might otherwise miss.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GlobalProtect)