Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting

Analysis of a coordinated Citrix Gateway reconnaissance campaign using 63,000+ residential proxies and AWS infrastructure to map login panels and enumerate versions across 111,834 sessions. Includes detection signatures and defensive recommendations.
Citrix
residential proxy
reconnaiassance
iocs
detection engineering
cybersecurity
Author

hrbrmstr & 🔮Orbie✨

Published

February 2, 2026

Between January 28 and February 2, 2026, the GreyNoise Global Observation Grid tracked a coordinated reconnaissance campaign against Citrix ADC Gateway and Netscaler Gateway infrastructure. The campaign ran two distinct modes: a massive distributed login panel discovery operation using residential proxy rotation, and a concentrated AWS-hosted version disclosure sprint.

The numbers tell the story: 111,834 sessions, 63,000+ unique source IPs, and a 79% targeting rate against Citrix Gateway honeypots specifically. That last number matters—it’s well above baseline scanning noise, indicating deliberate infrastructure mapping rather than opportunistic crawling.

Two Campaigns, One Target

Mode Sessions Source IPs Infrastructure Target
Login Panel Discovery 109,942 63,189 Azure + residential proxies /logon/LogonPoint/index.html
Version Disclosure 1,892 10 AWS us-west-1/us-west-2 /epa/scripts/win/nsepa_setup.exe

Both campaigns fully activated just before February 1st and almost exclusively targeted Citrix infrastructure. They had complementary objectives of both finding login panels, and enumerating versions which suggests coordinated reconnaissance.

The Residential Proxy Problem

A single Microsoft Azure Canada IP generated 39,461 sessions (36% of all login panel traffic) using the Prometheus blackbox-exporter user agent. While user agents can be and are regularly spoofed, they are also both easy to spot and easy to block.

But the remaining traffic came from residential ISPs across Vietnam, Argentina, Mexico, Algeria, Iraq, and a dozen other countrie, with one session per IP. This is classic residential proxy rotation, and each IP uses a unique browser fingerprint and enables cycling of both addresses and user agent strings. These IPs bypass geographic blocking and reputation filtering because they’re legitimate consumer ISP addresses (and organizations are very reticent to shut out potential customers).

The 6-Hour Version Sprint

The Version Disclosure component is more concerning from a “what comes next” perspective. On February 1st, 10 AWS IPs fired off 1,892 requests targeting the Citrix Endpoint Analysis setup file in a concentrated 6-hour window:

  • 00:00 UTC: 192 sessions (start)
  • 02:00 UTC: 362 sessions (peak)
  • 05:00 UTC: 283 sessions (end)

All 10 sources used an identical Chrome 50 user agent (circa 2016) and shared uniform HTTP fingerprint characteristics. The rapid onset and completion suggests a targeted scanning sprint that may have been triggered by discovery of vulnerable EPA configurations or intelligence about deployment windows.

What TCP Fingerprints Reveal

Without getting into raw signatures, the TCP-layer analysis exposes infrastructure separation:

Azure Scanner: The dominant Azure source shows VPN/tunnel nested encapsulation with a reduced MSS (62 bytes below standard). The operator routes scanning traffic through additional network layer, demonstrating a focus on operational security, or at least operational awareness.

Residential Proxies: The distributed residential traffic shows Windows TCP stack characteristics (maximum 16-bit window size) routing through Linux-based proxy infrastructure; Windows client => Linux proxies.

AWS Version Scanners: The version disclosure sources show jumbo frame MSS values—45x larger than standard Ethernet allows. This configuration requires datacenter switching infrastructure with 9,000+ byte MTU support. It’s physically impossible on consumer networks, confirming exclusive datacenter hosting.

Despite different infrastructure types, all fingerprints share identical TCP option ordering, which is an indicator of common tooling or framework underneath the operational compartmentalization.

Pre-Attack Indicators

This reconnaissance activity likely represents infrastructure mapping before exploitation. The specific targeting of the EPA setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.

Detection opportunities:

  • Monitor for blackbox-exporter user agent from non-authorized sources
  • Alert on external access to /epa/scripts/win/nsepa_setup.exe
  • Flag rapid /logon/LogonPoint/ enumeration patterns
  • Watch for HEAD requests to Citrix Gateway endpoints
  • Track outdated browser fingerprints (Chrome 50 from 2016)

Defensive recommendations:

  • Review external Citrix Gateway exposure; validate business need for internet-facing deployments
  • Implement authentication requirements for /epa/scripts/ directory
  • Configure Citrix Gateways to suppress version disclosure in HTTP responses
  • Flag access anomalies from residential ISPs in unexpected regions

IOCs

Primary IPs (Version Disclosure - AWS):

  • 44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56
  • 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162

Primary IP (Login Panel - Azure):

  • 52.139.3.76

GreyNoise Tags:

Organizations running internet-facing Citrix infrastructure should treat this activity as a pre-attack signal. The 79% targeting rate isn’t mere “noise”. Someone is almost certainly building a target list.