A massive escalation in attacks targeting Palo Alto Networks PAN-OS GlobalProtect login portals, with over 2,200 unique IP addresses conducting reconnaissance operations as of October 7, 2025.
This represents a significant surge from the initial 1,300 IPs observed just days earlier, marking the highest scanning activity recorded in the past 90 days according to GreyNoise Intelligence monitoring.
The reconnaissance campaign began with a sharp 500% increase in scanning activity on October 3, 2025, when researchers observed approximately 1,300 unique IP addresses probing Palo Alto login portals.
This initial surge already represented the largest burst of scanning activity in three months, with daily volumes previously rarely exceeding 200 IPs during the preceding 90-day period.
Palo Alto PAN-OS GlobalProtect Login Portals Surge
The escalating attack campaign demonstrates sophisticated coordination across geographically distributed infrastructure.
GreyNoise analysis reveals that 91% of the malicious IP addresses are geolocated to the United States, with additional clusters concentrated in the United Kingdom, the Netherlands, Canada, and Russia.
Security researchers have identified approximately 12% of all ASN11878 subnets allocated to scanning Palo login portals, indicating significant infrastructure commitment to this operation.
The attack methodology suggests threat actors are systematically iterating through large credential databases, with login attempt patterns indicating automated brute-force operations against GlobalProtect SSL VPN portals.
Source: Cybersecurity News