Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge
Campaign
Summary
Hide ▲
Show ▼
A coordinated malicious scanning campaign against Palo Alto Networks GlobalProtect VPN login portals surged 40x in 24 hours, pushing activity to a 90-day high. GreyNoise observed 2.3 million sessions hitting the /global-protect/login.esp endpoint between 14 and 19 November 2025. The pattern was linked to prior related campaigns through TCP/JA4t fingerprints, ASN reuse, and aligned timing. The activity matters because repeated probes against exposed VPN logins can precede new flaw disclosure and broader targeting.
Related Happenings
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/Mitigation
H score35
First: 15.06.2026 09:17
Last: 15.06.2026 09:17
Sources 1
About this happening:
Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257
Advisory/MitigationAbout this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation Wave
H score47
First: 08.06.2026 17:17
Last: 08.06.2026 17:17
Sources 1
About this happening:
**CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point VPN CVE-2026-50751 targeted exploitation wave
Exploitation WaveAbout this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
Vulnerability
H score47
First: 08.06.2026 16:05
Last: 08.06.2026 16:05
Sources 1
About this happening:
**Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)
VulnerabilityAbout this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
Trend
H score30
First: 02.04.2026 18:21
Last: 02.04.2026 18:21
Sources 1
About this happening:
Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Residential proxy traffic evades IP reputation feeds across malicious edge sessions
TrendAbout this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...
Red Menshen telecom espionage campaign
Campaign
H score33
First: 26.03.2026 19:40
Last: 26.03.2026 19:40
Sources 1
About this happening:
A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Red Menshen telecom espionage campaign
CampaignAbout this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...
Timeline
-
20.11.2025 19:08 1 articles · 7mo ago
GlobalProtect scanning surge begins
Campaign Scope UpdateGreyNoise observed malicious scanning against Palo Alto Networks GlobalProtect VPN login portals beginning on 14 November 2025, with activity rapidly intensifying and reaching a 40x surge within 24 hours against the */global-protect/login.esp* endpoint.
Show sources
- GlobalProtect VPN portals probed with 2.3 million scan sessions — www.bleepingcomputer.com — 20.11.2025 19:08
-
20.11.2025 19:08 2 articles · 7mo ago
GreyNoise links GlobalProtect probes to prior campaigns
Initial DisclosureGreyNoise disclosed a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals on 20 November 2025, saying the pattern was linked to prior related campaigns through recurring TCP/JA4t fingerprints, reuse of AS200373 and AS208885, and aligned timing of activity spikes, while also noting 2.3 million sessions to */global-protect/login.esp* between 14 and 19 November 2025 and a new 90-day high.
Show sources
- GlobalProtect VPN portals probed with 2.3 million scan sessions — www.bleepingcomputer.com — 20.11.2025 19:08
- GlobalProtect VPN portals probed with 2.3 million scan sessions — www.bleepingcomputer.com — 20.11.2025 19:08