GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals. Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.

GreyNoise has also identified strong connections between this spike and prior related campaigns. We assess with high confidence that these campaigns are at least partially driven by the same threat actor(s), supported by:

  • Recurring fingerprint: consistent TCP/JA4t signatures across all activity.
  • Shared infrastructure: recurring and highly concentrated use of the same ASNs.
  • Temporal correlation: activity spikes aligning across campaigns.

GreyNoise now offers two solutions to block these IPs:

Defenders can use GreyNoise Block to immediately block malicious IPs associated with this activity. GreyNoise Block is a fast and easy solution that includes an out-of-box blocklist tracking malicious IPs targeting Palo Alto Networks systems. Search for ‘Palo Alto’ in the Template Search Box. You will need to add ‘classification:suspicious’ to block the IPs we are seeing associated with this scanning activity. You can also modify the template to specify source country, other IP classifications, etc. New users can get started with a 14-day free trial.

BLOCK IPS WITH GREYNOISE BLOCK

For GreyNoise customers who need a more targeted blocklist (specifying ASNs, JA4, destination country, etc), GreyNoise now supports full query-based blocklists leveraging the entirety of GreyNoise query parameters.

BLOCK WITH PLATFORM BLOCKLIST

Surge in Palo Alto GlobalProtect Login Traffic

Since 11/14/2025, GreyNoise has observed 2.3 million sessions targeting the /global-protect/login.esp URI of Palo Alto PAN-OS and Palo Alto GlobalProtect.

Source Infrastructure

The campaign demonstrates a strong reliance on AS200373 (3xK Tech GmbH), expressed through two distinct geolocation clusters:

  • 62% of all sessions originated from AS200373 geolocated to Germany, representing the majority and primary driver of the campaign.
  • An additional 15% of traffic also originated from AS200373, but was geolocated to Canada, suggesting distributed hosting or exit infrastructure operating under the same ASN.

The remaining traffic was primarily sourced from AS208885 (Noyobzoda Faridduni Saidilhom), forming a secondary but consistent contributor.

Target Geography

  • Target countries: United States, Mexico, and Pakistan, each receiving nearly equivalent volumes of login attempts.

JA4t Fingerprints

For hunting, two JA4t fingerprints encompass all related activity:

  • 65495_2-4-8-1-3_65495_7
  • 33280_2-4-8-1-3_65495_7

TRACK THIS ACTIVITY

Infrastructure Concentration Across AS200373 and AS208885

The campaign’s infrastructure remains anchored in AS200373, with German-sourced traffic forming the most substantial segment. The parallel presence of a Canadian geolocation cluster within the same ASN—alongside persistent traffic from AS208885—indicates a distributed but coordinated hosting footprint.

Historical Correlation With Fortinet Vulnerability Disclosures

GreyNoise research has consistently documented a strong historical pattern:

Spikes in Fortinet VPN brute-force attempts are typically followed by Fortinet VPN vulnerability disclosures within six weeks.

First identified in July, this trend continues to offer meaningful historical context for interpreting the current escalation in Palo Alto–focused activity.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account