Sunday 05 July 2026 02:59:13 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Vulnerabilities & Patch Management

Invisible Eyes on the Gateway: How Hackers Are Mapping Citrix NetScaler for Future Attacks

Published: 04 February 2026 13:41Category: Vulnerabilities & Patch ManagementAuthor: LOGICFALCON

Subtitle: A global cyber reconnaissance campaign is targeting Citrix login panels and software versions, laying the groundwork for potential large-scale exploits.

In the pre-dawn hours of February 2026, a silent digital storm swept across the world’s networks. Citrix NetScaler administrators-guardians of critical business infrastructure-woke to find their systems had been swept up in a vast, coordinated scan. The attackers weren’t after passwords or data-yet. Instead, they were mapping the landscape, quietly noting which doors might be left unlocked for a future break-in.

Security researchers at GreyNoise sounded the alarm after detecting an extraordinary surge in traffic aimed at Citrix ADC (NetScaler) Gateway infrastructure. Unlike routine internet “noise,” this was a calculated two-pronged campaign. The first wave-dubbed Login Panel Discovery-saw attackers attempt nearly 110,000 connections to the NetScaler login page, each probing for exposed authentication panels. The motive? To build a global inventory of potential targets and to fingerprint which software versions were in play.

What makes this campaign especially insidious is its use of residential proxies-compromised everyday computers and devices spread across Vietnam, Argentina, Mexico, Algeria, and Iraq. By routing traffic through these proxies, attackers camouflaged their scans as legitimate consumer internet activity, sidestepping traditional IP reputation filters and geoblocks. Meanwhile, a single Microsoft Azure IP in Canada shouldered over a third of the login panel probes, all disguised with the “Prometheus blackbox-exporter” user agent, a tool often used for automated monitoring.

The reconnaissance didn’t stop there. On February 1, a second, more surgical phase kicked off: Version Disclosure. Ten disposable AWS cloud instances, each masquerading with an outdated Chrome 50 browser fingerprint, unleashed nearly 2,000 targeted requests to probe Citrix’s Endpoint Analysis (EPA) component. This phase lasted just six hours, peaking in the dead of night-timed, perhaps, to evade notice.

Investigators believe these scans are more than idle curiosity. By cataloging login panels and endpoint versions, attackers are laying the technical groundwork for future exploits-particularly in light of recent, high-profile Citrix vulnerabilities like “CitrixBleed 2” (CVE-2025-5777) and a new remote code execution flaw (CVE-2025-5775). The implication is chilling: somewhere, threat actors are preparing customized attacks, tailored to the specific weaknesses they’ve just mapped.

For defenders, the message is clear. Monitor for suspicious user agents, especially “blackbox-exporter” from unfamiliar sources. Watch for outdated browser fingerprints and unusual login panel requests. Most importantly, restrict internet exposure of Citrix systems and tighten authentication on sensitive directories. The reconnaissance phase may be silent-but it’s the first drumbeat of a larger attack to come.

As cyber adversaries grow bolder and more sophisticated, the quiet mapping of infrastructure is no longer background noise-it’s the opening move in a high-stakes game. The time to act is now, before these invisible eyes on the gateway become hands at the controls.

WIKICROOK

  • Residential Proxy: A residential proxy uses a real home IP address to make online activity appear as if it comes from a genuine user, masking the true source.
  • Prometheus Blackbox Exporter: Prometheus Blackbox Exporter probes endpoints to monitor service health and uptime, but can be misused to mimic legitimate traffic for malicious purposes.
  • Browser Fingerprint: A browser fingerprint is a set of unique data collected from your browser and device, used by websites to identify and track users across sessions.
  • Endpoint Analysis (EPA): Endpoint Analysis (EPA) verifies if a client device meets security requirements before allowing access to Citrix resources, ensuring compliance and reducing risks.
  • Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.