Proxy Shadows: The Global Hunt for Citrix Gateways Unveiled

At 2 a.m. UTC, a silent storm swept across the globe. Security teams monitoring their Citrix NetScaler Gateways watched as traffic surged - not the random noise of internet scanning, but a sharp, methodical probe. Thousands of unique IP addresses, masquerading behind residential proxies and cloud servers, were on a mission: to find and fingerprint every exposed Citrix login page in sight.

The campaign, uncovered by threat researchers, was anything but random. It unfolded in two distinct phases - a massive, distributed search for Citrix login panels, followed by a laser-focused sprint to extract version information from exposed systems. The first wave saw nearly 110,000 sessions from more than 63,000 unique IP addresses, most of them hiding behind residential proxies in countries as far-flung as Vietnam, Algeria, and Mexico. This allowed threat actors to slip past geographic blocks and reputation filters, with traffic blending in as if from everyday internet users.

One curious detail: a single Microsoft Azure IP in Canada was responsible for over a third of these scans, using the telltale “Prometheus blackbox-exporter” user agent - an indicator that this was more than just opportunistic poking. Each IP cycled browser fingerprints, making detection even trickier. Then, on February 1, 2026, the operation shifted gears. Ten AWS instances, all in the US, launched a concentrated six-hour barrage, hammering the Citrix Endpoint Analysis (EPA) setup file in a bid to enumerate software versions - vital intelligence for crafting targeted exploits.

Why the urgency? Recent critical vulnerabilities, notably “CitrixBleed 2” (CVE-2025-5777) and a zero-day remote code execution flaw (CVE-2025-5775), have put Citrix infrastructure in the crosshairs of sophisticated attackers. By mapping login panels and extracting version data, adversaries can quickly identify which organizations are ripe for compromise - and move before defenders can patch or hide their systems.

Detection is possible, but only for those watching closely. Researchers recommend monitoring for unusual user agents (like the blackbox-exporter), sudden bursts of login page requests, access to the EPA setup file, and outdated browser fingerprints (notably Chrome 50 from 2016). Organizations should urgently review whether their Citrix Gateways truly need to be internet-facing, enforce authentication on sensitive paths, and keep a vigilant eye on login attempts from unexpected regions or residential ISPs.

This sprawling recon campaign is a stark reminder: even the most seemingly routine network traffic may mask a coordinated hunt for your weaknesses. In the world of cyber threats, shadows move fast - and they’re always looking for an open door.

WIKICROOK

• Residential Proxy: A residential proxy uses a real home IP address to make online activity appear as if it comes from a genuine user, masking the true source.
• Citrix NetScaler Gateway: Citrix NetScaler Gateway lets remote users securely connect to company networks, using encryption and authentication to protect sensitive data.
• Enumeration: Enumeration is a technique where attackers collect details like usernames or network resources to identify vulnerabilities and plan unauthorized access.
• Zero: A zero-day vulnerability is a hidden security flaw unknown to the software maker, with no fix available, making it highly valuable and dangerous to attackers.
• User Agent: A User Agent is information your browser sends to websites, revealing browser and device details, which can impact security and privacy.