An unprecedented surge in login scans exposes the evolving tactics of cybercriminals targeting Citrix infrastructure worldwide.