Hackers Actively Scan Citrix NetScaler Infrastructure to Identify Exposed Login Panels

A coordinated global reconnaissance campaign has been observed targeting Citrix ADC (NetScaler) Gateway infrastructure.

According to multiple security telemetry sources, attackers launched a massive scan aimed at discovering authentication panels and enumerating software versions, a strong sign of pre‑exploitation activity.

GreyNoise analysts reported the campaign generated 111,834 sessions originating from over 63,000 unique IP addresses, with 79% of that traffic specifically directed at Citrix Gateway honeypot systems.

This volume far exceeds normal background internet noise, confirming a deliberate reconnaissance operation rather than opportunistic scanning.

Phased Reconnaissance Using Residential Proxies

The campaign operated in two distinct phases. The first, dubbed the Login Panel Discovery Phase, recorded over 109,942 scanning sessions attempting connections to the /logon/LogonPoint/index.html login page.

Researchers found that 64% of IPs came through residential proxies spread across countries, including Vietnam, Argentina, Mexico, Algeria, and Iraq.

These proxies were particularly effective at bypassing IP reputation filters and geoblocking, since their addresses appeared as legitimate consumer ISP endpoints.

Interestingly, a single Microsoft Azure IP based in Canada accounted for 36% of requests, all tagged with a Prometheus blackbox‑exporter user agent.

Each IP in the proxy rotation carried unique browser fingerprints and user‑agent strings, further complicating attribution and correlation.

The second stage, a Version Disclosure Phase on February 1, 2026, saw ten AWS instances conduct a concentrated six‑hour scanning burst.

These systems fired 1,892 requests to the /epa/scripts/win/nsepa_setup.exe path to probe Citrix Endpoint Analysis (EPA) component versions. Traffic peaked at 362 sessions near 02:00 UTC, rapidly subsiding after 05:00 UTC.

Every AWS source used an outdated Chrome 50 user agent from 2016 and shared identical HTTP headers, suggesting a single actor orchestrating the scan through disposable cloud instances.

Mode	Sessions	Source IPs	Infrastructure
Login Panel Discovery	109,942	63,189	Azure + Residential proxies
Version Disclosure	1,892	10	AWS us‑west‑1/us‑west‑2

GreyNoise investigators believe this activity is linked to reconnaissance supporting exploit development against known weaknesses in Citrix ADC and Gateway versions.

The sampling of EPA setup paths implies potential vulnerability validation or version‑specific exploit testing.

Recent Citrix vulnerabilities, such as CVE‑2025‑5777 (CitrixBleed 2) and CVE‑2025‑5775, a remote code execution flaw, have already been exploited in previous attacks.

Security teams should assume adversaries are mapping environments in preparation for similar campaigns.

Defenders are urged to:

• Monitor for “blackbox‑exporter” user agents from unapproved sources.
• Alert on HTTP requests to /epa/scripts/win/nsepa_setup.exe.
• Track rapid enumeration attempts against /logon/LogonPoint/ paths.
• Detect HEAD requests to Citrix Gateway endpoints.
• Flag access patterns using antiquated browser fingerprints like Chrome 50.

Administrators should restrict internet exposure of Citrix Gateway systems, enforce authentication for the /epa/scripts/ directory, and remove banner or error message version disclosures.

Monitoring for connections from residential ISP ranges or unexpected geographies can further reduce reconnaissance visibility.

Indicators of Compromise (IOCs)

Version Disclosure – AWS:
44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56, 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162

Login Panel – Azure:
52.139.3.76

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Hackers Actively Scan Citrix NetScaler Infrastructure to Identify Exposed Login Panels appeared first on Cyber Security News.