GREYNOISE tracked a dual-mode Citrix Gateway reconnaissance campaign between 28 January and 2 February 2026, using more than 63,000 residential proxies before switching to AWS to enumerate exposed versions. The activity targeted Citrix ADC and NetScaler Gateways, recording 111,834 sessions from just over 63,000 IPs, with 79% of traffic directed at Citrix Gateway honeypots, suggesting deliberate infrastructure mapping rather than random crawling.
One Azure-based scanner handled a large portion of traffic, while the remainder originated from thousands of consumer devices worldwide, each with a unique browser fingerprint to help bypass geofencing and filters. The version checks ran over six hours from 10 AWS IPs using the same Chrome fingerprint, indicating fast, coordinated activity after target discovery.
According to GreyNoise, all campaigns shared common tooling and TCP characteristics, despite using Azure, residential, and AWS infrastructures, pointing to an integrated reconnaissance effort prior to potential exploitation.