Find notable cyber news and cases, enriched with sources, timelines, and signals.

Unattributed coordinated scanners linked across related activity clusters campaign shows victim surge

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated malicious scanning campaign against Palo Alto Networks GlobalProtect VPN login portals surged 40x in 24 hours, pushing activity to a 90-day high. GreyNoise observed 2.3 million sessions hitting the /global-protect/login.esp endpoint between 14 and 19 November 2025. The pattern was linked to prior related campaigns through TCP/JA4t fingerprints, ASN reuse, and aligned timing. The activity matters because repeated probes against exposed VPN logins can precede new flaw disclosure and broader targeting.

Related Happenings

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

Check Point VPN CVE-2026-50751 targeted exploitation wave

Exploitation Wave
H score47 First: 08.06.2026 17:17 Last: 08.06.2026 17:17 Sources 1

About this happening: **CVE-2026-50751** is an **active exploitation wave** against **Check Point Remote Access VPN** and **Mobile Access** deployments that use **deprecated IKEv1**. The flaw is an **a...

Check Point Remote Access VPN and Mobile Access authentication bypass (CVE-2026-50751)

Vulnerability
H score47 First: 08.06.2026 16:05 Last: 08.06.2026 16:05 Sources 1

About this happening: **Check Point** warned that **CVE-2026-50751** is a **critical authentication bypass** in **Remote Access VPN** and **Mobile Access** deployments using **deprecated IKEv1**, letti...

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Trend
H score30 First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Red Menshen telecom espionage campaign

Campaign
H score33 First: 26.03.2026 19:40 Last: 26.03.2026 19:40 Sources 1

About this happening: A **China-nexus** **Red Menshen** operation has sustained **covert access** in **telecom networks** across the **Middle East and Asia**, increasing the risk of **government espion...

Timeline

  1. 20.11.2025 19:08 1 articles · 7mo ago

    GlobalProtect scanning surge begins

    Campaign Scope Update

    GreyNoise observed malicious scanning against Palo Alto Networks GlobalProtect VPN login portals beginning on 14 November 2025, with activity rapidly intensifying and reaching a 40x surge within 24 hours against the */global-protect/login.esp* endpoint.

    Show sources
  2. 20.11.2025 19:08 2 articles · 7mo ago

    GreyNoise links GlobalProtect probes to prior campaigns

    Initial Disclosure

    GreyNoise disclosed a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals on 20 November 2025, saying the pattern was linked to prior related campaigns through recurring TCP/JA4t fingerprints, reuse of AS200373 and AS208885, and aligned timing of activity spikes, while also noting 2.3 million sessions to */global-protect/login.esp* between 14 and 19 November 2025 and a new 90-day high.

    Show sources