Skip to Content

Citrix NetScaler Reconnaissance Campaign Leveraging Residential Proxies

An analysis of a coordinated campaign that used tens of thousands of residential proxies and a single Azure IP to probe Citrix NetScaler login panels and EPA setup files, with detection guidance from GreyNoise and mitigation steps.
3 February 2026 by
TechStora Editorial Board

Overview

A coordinated reconnaissance effort targeting Citrix NetScaler (now Citrix ADC) was observed over the past week. The campaign employed tens of thousands of residential proxies to locate login panels and a single Azure IP address for additional probing.

Attack Methodology

The attackers used the following tactics:

  • ~64% of traffic originated from residential proxies, mimicking legitimate consumer ISP addresses and evading reputation‑based filters.
  • The remaining ~36% came from a single Azure IP address, likely used for controlled testing.
  • Requests included a Chrome 50 user‑agent string, a browser version released in early 2016, indicating possible attempts to match older client fingerprints.
  • Specific targeting of the /EPA/ setup file path suggests interest in version‑specific exploit development or vulnerability validation against known Citrix ADC weaknesses.

Indicators of Compromise (IOCs)

Key IOCs identified by GreyNoise include:

  • Residential proxy IP ranges observed contacting Citrix NetScaler login endpoints.
  • Azure IP address xxx.xxx.xxx.xxx (replace with actual observed IP) making repeated EPA file requests.
  • Chrome 50 user‑agent string in HTTP headers.

Detection & Mitigation Guidance

GreyNoise highlights several detection opportunities:

  • Monitor for high‑volume requests from residential proxy IP blocks to Citrix ADC management URLs.
  • Alert on access attempts to the /EPA/ setup file path.
  • Flag traffic using outdated user‑agent strings (e.g., Chrome 50).

Additional resources:

  • Use Tines to automate response workflows, reducing manual delays and improving reliability.
  • Implement Token Security solutions to redefine permissions for agentic AI and protect against credential misuse.

Recommendations for Organizations

To protect against similar campaigns, organizations should:

  • Enforce strict access controls and multi‑factor authentication on Citrix ADC management interfaces.
  • Deploy threat intelligence feeds (e.g., GreyNoise) to block known residential proxy ranges.
  • Regularly audit and patch Citrix ADC installations, focusing on EPA‑related components.
  • Monitor for single‑source Azure IP activity that deviates from normal usage patterns.
  • Educate users about the risk of a single employee download exposing the entire company, and monitor stealer log exposures.