Full Report
Between January 28 and February 2, 2026, the GreyNoise Global Observation Grid tracked a coordinated reconnaissance campaign against Citrix ADC Gateway and Netscaler Gateway infrastructure. The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint. The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically. That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling. Two Campaigns, One Target Mode Sessions Source IPs Infrastructure Target Login Panel Discovery 109,942 63,189 Azure + residential proxies /logon/LogonPoint/index.html Version Disclosure 1,892 10 AWS us-west-1/us-west-2 /epa/scripts/win/nsepa_setup.exe Both campaigns fully activated just before February 1st and almost exclusively targeted Citrix infrastructure. They had complementary objectives of both finding login panels, and enumerating versions which suggests coordinated reconnaissance. The Residential Proxy Problem A single Microsoft Azure Canada IP generated 39,461 sessions (36% of all login panel traffic) using the Prometheus blackbox-exporter user agent. While user agents can be and are regularly spoofed, they are also both easy to spot and easy to block. But the remaining traffic came from residential ISPs across Vietnam, Argentina, Mexico, Algeria, Iraq, and a dozen other countrie, with one session per IP. This is classic residential proxy rotation, and each IP uses a unique browser fingerprint and enables cycling of both addresses and user agent strings. These IPs bypass geographic blocking and reputation filtering because they’re legitimate consumer ISP addresses (and organizations are very reticent to shut out potential customers). The 6-Hour Version Sprint The Version Disclosure component is more concerning from a “what comes next” perspective. On February 1st, 10 AWS IPs fired off 1,892 requests targeting the Citrix Endpoint Analysis setup file in a concentrated 6-hour window: 00:00 UTC: 192 sessions (start) 02:00 UTC: 362 sessions (peak) 05:00 UTC: 283 sessions (end) All 10 sources used an identical Chrome 50 user agent (circa 2016) and shared uniform HTTP fingerprint characteristics. The rapid onset and completion suggests a targeted scanning sprint that may have been triggered by discovery of vulnerable EPA configurations or intelligence about deployment windows. What TCP Fingerprints Reveal Without getting into raw signatures, the TCP-layer analysis exposes infrastructure separation: Azure Scanner: The dominant Azure source shows VPN/tunnel nested encapsulation with a reduced MSS (62 bytes below standard). The operator routes scanning traffic through additional network layer, demonstrating a focus on operational security, or at least operational awareness. Residential Proxies: The distributed residential traffic shows Windows TCP stack characteristics (maximum 16-bit window size) routing through Linux-based proxy infrastructure; Windows client => Linux proxies. AWS Version Scanners: The version disclosure sources show jumbo frame MSS values—45x larger than standard Ethernet allows. This configuration requires datacenter switching infrastructure with 9,000+ byte MTU support. It’s physically impossible on consumer networks, confirming exclusive datacenter hosting. Despite different infrastructure types, all fingerprints share identical TCP option ordering, which is an indicator of common tooling or framework underneath the operational compartmentalization. Pre-Attack Indicators This reconnaissance activity likely represents infrastructure mapping before exploitation. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses. Detection opportunities: Monitor for blackbox-exporter user agent from non-authorized sources Alert on external access to /epa/scripts/win/nsepa_setup.exe Flag rapid /logon/LogonPoint/ enumeration patterns Watch for HEAD requests to Citrix Gateway endpoints Track outdated browser fingerprints (Chrome 50 from 2016) Defensive recommendations: Review external Citrix Gateway exposure; validate business need for internet-facing deployments Implement authentication requirements for /epa/scripts/ directory Configure Citrix Gateways to suppress version disclosure in HTTP responses Flag access anomalies from residential ISPs in unexpected regions IOCs Primary IPs (Version Disclosure - AWS): 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162 Primary IP (Login Panel - Azure): 52.139.3.76 GreyNoise Tags: Citrix ADC Gateway Login Panel Crawler Citrix Netscaler Gateway Version Disclosure Organizations running internet-facing Citrix infrastructure should treat this activity as a pre-attack signal. The 79% targeting rate isn’t mere “noise”. Someone is almost certainly building a target list.
Analysis Summary
This summary focuses on the TTPs observed during the coordinated reconnaissance campaign against Citrix devices, as detailed in the provided context. No specific pre-existing malware families were identified, but the campaign utilized custom tooling and sophisticated infrastructure management.
# Operation: Dual-Mode Citrix Gateway Reconnaissance
(No commercial malware name; described as a Coordinated Reconnaissance Campaign)
## Overview
A coordinated reconnaissance campaign tracked between January 28 and February 2, 2026, targeting Citrix ADC Gateway and Netscaler Gateway infrastructure. The operation employed two distinct, yet complementary, modes: widespread login panel discovery and concentrated version disclosure scanning.
## Technical Details
- Type: Technique / Reconnaissance Campaign Tooling
- Platform: Citrix ADC Gateway / Netscaler Gateway
- Capabilities: Large-scale distributed scanning, infrastructure mapping, version enumeration, bypass of reputation filters via residential proxies.
- First Seen: January 28, 2026
## MITRE ATT&CK Mapping
Since this is reconnaissance before exploitation, the primary mapping falls under Initial Access Preparation and Discovery:
- **TA0043 - C2 Channel**
- T1071 - Application Layer Protocol (Though C2 is not explicitly confirmed, the structured scanning suggests command/control infrastructure orchestration)
- **TA0007 - Discovery**
- T1046 - Network Service Scanning (Targeted probing of endpoints)
- T1609 - Operating System Configuration Discovery (Via checking for specific file paths like `/epa/scripts/win/nsepa_setup.exe`)
## Functionality
### Core Capabilities
1. **Login Panel Discovery (Massive Distribution):** Attempted to locate login portals using paths like `/logon/LogonPoint/index.html`. This was achieved using a massive network of 63,000+ unique IPs routed through Azure and residential proxies.
2. **Version Disclosure Sprint (Concentrated):** A highly focused 6-hour sprint targeting the presence of the Citrix Endpoint Analysis (EPA) setup file: `/epa/scripts/win/nsepa_setup.exe`. This specific file enumeration suggests an effort to map devices running software vulnerable to known version-specific exploits.
### Advanced Features
1. **Residential Proxy Rotation:** Utilized a vast pool of IPs from consumer ISPs (Vietnam, Argentina, Mexico, etc.) to bypass geo-blocking and reputation filtering. Each IP often used a unique browser fingerprint and rotating user agents.
2. **Infrastructure OpSec:** Different scanning modes utilized distinct infrastructure footprints:
* **Azure Scan:** Showed VPN/tunnel encapsulation and a reduced MSS (Operational Security awareness).
* **AWS Scan:** Exhibited jumbo frame configuration (high MTU), confirming datacenter hosting required for this high-speed scanning.
3. **Common Tooling Signature:** Despite operational compartmentalization across Azure, AWS, and proxies, all observed TCP fingerprints shared an identical TCP option ordering, strongly suggesting the use of a common, underlying scanning framework.
4. **Low-and-Slow Evasion:** The residential component used one session per IP to mimic legitimate user traffic.
## Indicators of Compromise
- File Hashes: N/A (No malware observed for hashing)
- File Names: `/logon/LogonPoint/index.html`, `/epa/scripts/win/nsepa_setup.exe`
- Registry Keys: N/A
- Network Indicators:
* **Azure Login Panel Source IP:** 52.139.3.76 (defanged: 52-139-3-76)
* **AWS Version Disclosure Source IPs (10):** 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56, 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162 (all defanged)
- Behavioral Indicators:
* Use of the `blackbox-exporter` User Agent (associated with the Azure source).
* Rapid enumeration patterns against the `/logon/LogonPoint/` directory path.
* Use of an outdated Chrome 50 User Agent (circa 2016) by the AWS scanners.
* Detection of jumbo frame configuration (high MSS) during external requests to Citrix endpoints.
## Associated Threat Actors
No specific threat actor group was named; however, the sophisticated, resource-intensive nature involving Azure, AWS, and residential proxies suggests a well-funded or organized adversary, likely targeting known Citrix security gaps. Associated GreyNoise Tags: Citrix ADC Gateway Login Panel Crawler, Citrix Netscaler Gateway Version Disclosure.
## Detection Methods
- **Signature-based detection:** Alert on external access attempts to `/epa/scripts/win/nsepa_setup.exe`.
- **Behavioral detection:** Flag rapid enumeration patterns against common Citrix login paths (`/logon/LogonPoint/`). Monitor for `HEAD` requests specifically aimed at Citrix Gateway endpoints.
- **Anomaly Detection:** Flag access anomalies originating from residential ISPs in unexpected geographic regions.
- **User Agent Monitoring:** Alert on the presence of the `blackbox-exporter` user agent from external, non-vetted sources. Track activity using severely outdated browser fingerprints (e.g., Chrome 50).
## Mitigation Strategies
- **Exposure Review:** Review internet-facing deployments of Citrix Gateways; validate the business need for external access.
- **Access Control:** Implement mandatory authentication requirements for sensitive internal directories like `/epa/scripts/`.
- **Information Suppression:** Configure Citrix Gateways to suppress version disclosure in HTTP responses to prevent enumeration.
- **IP/Reputation Filtering:** Flag or rate-limit access anomalies originating from residential ISP ranges where business context does not permit.
## Related Tools/Techniques
- **Residential Proxy Networks:** Similar to techniques used by botnets for credential stuffing or widespread credential testing.
- **BlackBox Exporter:** While a legitimate monitoring tool, its use in scanner UAs suggests weaponization or use as a camouflage mechanism.