In early October 2025, security researchers observed a significant escalation in scanning activities targeting Palo Alto Networks’ PAN-OS GlobalProtect login portals. By October 7, over 2,200 unique IP addresses were identified conducting reconnaissance operations, marking the highest scanning activity recorded in the past 90 days.
The campaign began on October 3, 2025, with a 500% increase in scanning activity, as approximately 1,300 unique IP addresses probed Palo Alto login portals. This surge was unprecedented, with daily volumes previously rarely exceeding 200 IPs during the preceding 90-day period.
Geographical Distribution and Attack Methodology
Analysis revealed that 91% of the malicious IP addresses were geolocated to the United States, with additional clusters in the United Kingdom, the Netherlands, Canada, and Russia. Approximately 12% of all ASN11878 subnets were allocated to scanning Palo Alto login portals, indicating a significant infrastructure commitment to this operation.
The attack methodology suggests that threat actors are systematically iterating through large credential databases, with login attempt patterns indicating automated brute-force operations against GlobalProtect SSL VPN portals.
Technical Analysis and Correlations
Technical analysis classified 93% of participating IP addresses as suspicious, while 7% received malicious designations. The scanning activity exhibited distinct regional clustering patterns with separate TCP fingerprints, suggesting multiple coordinated threat groups operating simultaneously.
Potential correlations were identified between the Palo Alto scanning surge and concurrent reconnaissance operations targeting Cisco ASA devices. Both attack campaigns shared dominant TCP fingerprints linked to infrastructure in the Netherlands, along with similar regional clustering behaviors and tooling characteristics.
Defensive Measures
Security teams are advised to implement immediate defensive measures, including IP blocklisting of known malicious addresses, enhanced monitoring of GlobalProtect portal authentication logs, and implementation of additional access controls for remote VPN connections.
