Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Citrix NetScaler reconnaissance scanning and version-enumeration campaign

Campaign
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

A Citrix NetScaler reconnaissance campaign used residential proxies and 63,189 distinct IPs between January 28 and February 2 to map exposed login panels and EPA artifacts at scale. The activity generated 111,834 sessions and focused heavily on internet-facing Citrix Gateway endpoints, indicating organized pre-exploitation discovery. The pattern matters because it suggests interest in version-specific exploit development or vulnerability validation against Citrix ADC environments.

Related Happenings

Residential proxy traffic evades IP reputation feeds across malicious edge sessions

Target Trend
First: 02.04.2026 18:21 Last: 02.04.2026 18:21 Sources 1

About this happening: Residential proxy traffic is increasingly evading **IP reputation feeds**, weakening source-based visibility into malicious edge activity. In a **4 billion-session** measurement,...

Open Happening

Cloud Software Group NetScaler urgent remediation advisory

Advisory/Mitigation
First: 25.03.2026 17:52 Last: 25.03.2026 17:52 Sources 1

About this happening: **Cloud Software Group** issued urgent remediation guidance for **NetScaler ADC** and **NetScaler Gateway**, telling affected customers to install updated versions as soon as poss...

Open Happening

Ivanti EPMM exploitation wave (CVE-2026-1281)

Exploitation Wave
First: 12.02.2026 09:32 Last: 12.02.2026 09:32 Sources 1

About this happening: **Ivanti Endpoint Manager Mobile (EPMM)** is facing an **active exploitation wave** against **CVE-2026-1281** and **CVE-2026-1340**, creating immediate risk for internet-facing ma...

Open Happening

Stanley MaaS markets malicious Chrome-extension phishing service

Threat Actor Meta
First: 27.01.2026 01:46 Last: 27.01.2026 01:46 Sources 1

About this happening: **Stanley** is a **malware-as-a-service (MaaS)** platform for **malicious Chrome extensions** that helps operators deliver **phishing pages** through the browser while keeping the...

Open Happening

Cisco ISE and Citrix NetScaler ADC zero-day malware delivery campaign

Campaign
First: 12.11.2025 16:00 Last: 12.11.2025 16:00 Sources 1

About this happening: A **zero-day exploitation campaign** against **Cisco ISE** and **Citrix NetScaler ADC** is delivering **custom malware** into enterprise identity and network access control infras...

Open Happening

Timeline

  1. 03.02.2026 22:25 1 articles · 3mo ago

    February 1 Citrix EPA setup-file probing

    Technical Analysis Update

    A six-hour scanning sprint on February 1 used 10 IPs to launch 1,892 sessions against /epa/scripts/win/nsepa_setup.exe on Citrix NetScaler infrastructure, using EPA artifacts and a Chrome 50 user agent to enumerate Citrix versions and suggesting interest in version-specific exploit development or vulnerability validation against Citrix ADC weaknesses.

    Show sources
    Open in new tab
  2. 03.02.2026 22:25 2 articles · 3mo ago

    GreyNoise reports Citrix NetScaler reconnaissance campaign

    Initial Disclosure

    GreyNoise described a coordinated reconnaissance campaign against Citrix NetScaler on February 3 that ran from January 28 to February 2, drew more than 63,000 distinct IPs and 111,834 sessions, and used residential proxies to probe Citrix Gateway login panels and enumerate product versions, with 79% of the traffic aimed at Citrix Gateway honeypots.

    Show sources
    Open in new tab