Mass Scanning Campaign Targets Exposed Citrix NetScaler Login Pages

A large, organized scanning campaign has been observed targeting Citrix NetScaler (ADC) Gateway systems across the internet. The goal appears to be identifying exposed login pages and gathering software version details — a strong sign that attackers are preparing for possible exploitation.

The activity involved more than 63,000 IP addresses, many of them residential proxy connections, along with cloud infrastructure. In total, over 111,000 sessions were recorded, with most of the traffic specifically targeting Citrix Gateway login interfaces.

This level of focused activity is far beyond normal background internet scanning and shows deliberate infrastructure mapping.

Two-Phase Scanning Operation

The campaign unfolded in two clear stages.

Phase 1: Login Page Discovery
Attackers searched for Citrix login portals by targeting the main authentication page. Most traffic came from residential proxy networks in multiple countries, which helps attackers appear like normal home users and avoid IP reputation blocks. Each connection used different browser fingerprints, making detection harder.

Phase 2: Version Identification
In a shorter, more focused burst, attackers used cloud-hosted systems to request a specific Citrix file related to Endpoint Analysis (EPA). This likely helped them determine which software versions were running. All requests in this phase shared the same outdated browser profile, suggesting automated scanning tools.

Security researchers believe this stage may indicate interest in identifying vulnerable systems tied to known Citrix weaknesses.

Why This Matters

Targeting login pages and version information is often a pre-attack step. Attackers first map exposed systems, then match them with known vulnerabilities before launching exploits.

Recent high-severity issues affecting Citrix products make such reconnaissance especially concerning.

Detection & Defense Tips

Organizations should:

Monitor for unusual traffic to Citrix login paths
Watch for access to EPA-related files from external sources
Look for rapid or repeated login-page enumeration
Track suspicious browser fingerprints or automation patterns
Pay attention to traffic coming from residential ISP ranges in unexpected regions

It’s also important to review whether Citrix Gateways truly need to be internet-facing, restrict access where possible, and reduce system information exposure in web responses.

This campaign highlights how attackers carefully prepare before launching an exploit — giving defenders a critical window to detect and block suspicious activity early.

IOCs

Primary IPs (Version Disclosure – AWS):