Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First reported
Last updated
Happening score
H score 49
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated malicious scanning campaign against Palo Alto Networks GlobalProtect VPN login portals surged 40x in 24 hours, pushing activity to a 90-day high. GreyNoise observed 2.3 million sessions hitting the /global-protect/login.esp endpoint between 14 and 19 November 2025. The pattern was linked to prior related campaigns through TCP/JA4t fingerprints, ASN reuse, and aligned timing. The activity matters because repeated probes against exposed VPN logins can precede new flaw disclosure and broader targeting.

Related Happenings

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Target Trend
First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Open Happening

Red Menshen telecom espionage campaign

Campaign
First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...

Open Happening

Cisco SSL VPN and GlobalProtect credential-probing campaign

Campaign
First: 18.12.2025 06:10 Last: 18.12.2025 06:10 Sources 1

About this happening: A **coordinated credential-based campaign** is now probing **Cisco SSL VPN** and **Palo Alto Networks GlobalProtect** portals at scale, raising the risk of unauthorized access att...

Open Happening

Palo Alto GlobalProtect login-attempt and SonicWall SonicOS scanning campaign

Campaign
First: 06.12.2025 17:18 Last: 06.12.2025 17:18 Sources 1

About this happening: A **credential-based campaign** is hitting **Palo Alto GlobalProtect portals** and **SonicWall SonicOS API endpoints**, creating broad reconnaissance risk across remote-access and...

Open Happening

Multi-country botnet RDP reconnaissance campaign targeting U.S. services

Campaign
First: 13.10.2025 21:05 Last: 13.10.2025 21:05 Sources 1

About this happening: A **multi-country botnet** launched a **large-scale RDP reconnaissance campaign** against **U.S. services**, using **timing attacks** and **login enumeration** to infer valid acco...

Open Happening

Timeline

  1. 20.11.2025 19:08 1 articles · 6mo ago

    GlobalProtect scanning surge begins

    Campaign Scope Update

    GreyNoise observed malicious scanning against Palo Alto Networks GlobalProtect VPN login portals beginning on 14 November 2025, with activity rapidly intensifying and reaching a 40x surge within 24 hours against the */global-protect/login.esp* endpoint.

    Show sources
    Open in new tab
  2. 20.11.2025 19:08 2 articles · 6mo ago

    GreyNoise links GlobalProtect probes to prior campaigns

    Initial Disclosure

    GreyNoise disclosed a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals on 20 November 2025, saying the pattern was linked to prior related campaigns through recurring TCP/JA4t fingerprints, reuse of AS200373 and AS208885, and aligned timing of activity spikes, while also noting 2.3 million sessions to */global-protect/login.esp* between 14 and 19 November 2025 and a new 90-day high.

    Show sources
    Open in new tab