A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure has been observed over the past week, leveraging tens of thousands of residential proxy IPs to identify exposed login panels and enumerate product versions. The activity, tracked between January 28 and February 2, indicates deliberate infrastructure mapping rather than opportunistic crawling.
Threat monitoring firm GreyNoise reported that the campaign originated from more than 63,000 distinct IP addresses, generating 111,834 scanning sessions. Nearly 79% of the traffic targeted Citrix Gateway honeypots, with about 64% of requests routed through residential proxies designed to appear as legitimate consumer ISP traffic. The remaining 36% of activity came from a single Microsoft Azure IP address.
Researchers observed two primary attack indicators. The first involved large-scale probing of the Citrix authentication interface at “/logon/LogonPoint/index.html” to identify exposed login portals. The second focused on the Endpoint Analysis setup file path “/epa/scripts/win/nsepa_setup.exe,” a technique commonly used to infer deployed Citrix versions. All observed sources used an outdated Chrome 50 user agent and shared uniform HTTP fingerprint characteristics.
“The rapid onset and completion suggests a targeted scanning sprint that may have been triggered by discovery of vulnerable EPA configurations or intelligence about deployment windows,” the company noted.
According to GreyNoise, the campaign likely is pre-exploitation infrastructure mapping, potentially in preparation for version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.
Last November, Amazon’s threat intelligence division uncovered a sophisticated campaign in which an advanced threat actor exploited a high-risk vulnerability in NetScaler ADC and Gateway (CVE-2025-5777, aka “Citrix Bleed 2”), and CVE-2025-20337 in Cisco Identity Services Engine (ISE) to deploy custom malware.
In a separate report, GreyNoise noted that two months after CVE-2025-55182 (React2Shell) disclosure, exploitation of React Server Components has sharply consolidated. Over the past seven days, just two IP addresses generated 56% of the 1.4 million observed exploitation attempts, down from 1,083 unique sources. One operation focuses on cryptomining by deploying XMRig via staging servers, while the other opens direct reverse shells for interactive access. The distinct post-exploitation behaviors suggest either two separate actors or a single actor using compartmentalized infrastructure.