GreyNoise tracks massive Citrix Gateway recon using 63K+ residential proxies and AWS

GreyNoise spotted a dual-mode Citrix Gateway recon campaign using 63K+ residential proxies and AWS to find login panels and enumerate versions.

Between Jan 28 and Feb 2, 2026, GreyNoise tracked a coordinated reconnaissance campaign targeting Citrix ADC and NetScaler Gateways. Attackers used over 63,000 residential proxies to discover login panels, then switched to AWS infrastructure to aggressively enumerate exposed versions across more than 111,000 sessions.

The activity logged 111,834 sessions from over 63,000 IPs, with 79% aimed at Citrix Gateway honeypots, pointing to targeted infrastructure mapping rather than random crawling.

“The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically.” reads the report published by GreyNoise. “That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling.”

Two related campaigns targeted Citrix infrastructure just before February 1, 2026. One scanned the web to find login panels, while the other quickly checked software versions, showing a coordinated reconnaissance effort.

The login discovery relied heavily on residential proxies. Attackers used one large Azure IP for a big chunk of traffic, but the rest came from thousands of legitimate consumer IPs worldwide. Each IP had a unique browser fingerprint, helping them bypass geofencing and reputation filters.

The version check ran over six hours from 10 AWS IPs using the same old Chrome fingerprint. The rapid, focused activity suggests the attackers acted fast after finding potential targets.

The Azure scanner routed traffic through VPNs and tunnels with a slightly smaller-than-normal MSS, showing careful operational security. Residential proxies came from Windows devices but passed through Linux proxies, blending consumer traffic. AWS version scanners used jumbo frame settings only possible in datacenters, confirming they relied on dedicated infrastructure rather than consumer networks.

TCP analysis shows different infrastructure setups but a shared framework: Azure traffic used VPN tunnels, residential scans went through Linux proxies, and AWS scans required datacenter-level network settings. All shared TCP traits indicate the same underlying tools across campaigns.

“Despite different infrastructure types, all fingerprints share identical TCP option ordering, which is an indicator of common tooling or framework underneath the operational compartmentalization.” continues the report.

The reconnaissance likely maps Citrix infrastructure before attacks, targeting EPA setup files for potential exploits. Organizations should monitor unusual user agents, rapid login enumeration, outdated browser fingerprints, and external access to sensitive paths. Defense includes limiting exposure, enforcing authentication, suppressing version info, and flagging suspicious regional traffic.

“This reconnaissance activity likely represents infrastructure mapping before exploitation. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.” concludes the report that includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Citrix)