Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.

Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.

“GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals,” reads the bulletin.

“Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high.”

In early October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS profiles, with 91% of them classified as “suspicious,” and another 7% as clearly malicious.

Earlier, in April 2025, GreyNoise reported yet another spike in scanning activity targeting Palo Alto Networks GlobalProtect login portals, involving 24,000 IP addresses, most of them being classified as suspicious, and 154 as malicious.

GreyNoise believes with high confidence that the latest activity is linked to previous related campaigns, based on recurring TCP/JA4t fingerprints, reuse of the same ASNs (Autonomous System Numbers), and aligned timing of activity spikes across campaigns.

The primary ASN used in these attacks is identified as AS200373 (3xK Tech GmbH), with 62% of the IPs being geolocated to Germany, and 15% to Canada. A second ASN involved in this activity is AS208885 (Noyobzoda Faridduni Saidilhom).

Targeting VPN logins

Between November 14 and 19, GreyNoise observed 2.3 million sessions hitting the */global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect.

The URI corresponds to a web endpoint exposed by a Palo Alto Networks firewall running GlobalProtect and shows a page where VPN users can authenticate.

Login attempts are mainly aimed at the United States, Mexico, and Pakistan, with similar volumes across all of them.

GreyNoise has previously underlined the importance of blocking these attempts and actively tracking them as malicious probes, instead of disregarding them as failed exploit attempts targeting long-patched flaws.

As the company’s stats show, these scanning spikes typically precede the disclosure of new security flaws in 80% of cases, with the correlation being even stronger for Palo Alto Networks’ products.

Concerning malicious activity for Palo Alto Networks this year, there have been two cases of active exploitation of flaws in February, with CVE-2025-0108, which was later chained with CVE-2025-0111 and CVE-2024-9474.

In September, Palo Alto Networks also disclosed a data breach that exposed customer data and support cases, as part of the ShinyHunters’ Salesloft Drift campaign.