Malicious scanning activity targeting Palo Alto Networks GlobalProtect VPN login portals has increased 40 times in 24 hours, indicating a coordinated campaign.
Real-time intelligence company GreyNoise reports that activity began climbing on November 14 and hit its highest level in 90 days within a week.
"GreyNoise has identified a significant escalation in malicious activity targeting Palo Alto Networks GlobalProtect portals," reads the bulletin.
"Beginning on 14 November 2025, activity rapidly intensified, culminating in a 40x surge within 24 hours, marking a new 90-day high."
Scanning activity surging on PAN Global Protect portals
source: GreyNoise
In early October, GreyNoise reported a 500% increase in IP addresses scanning Palo Alto Networks GlobalProtect and PAN-OS profiles, with 91% of them classified as "suspicious," and another 7% as clearly malicious.
Earlier, in April 2025, GreyNoise reported yet another spike in scanning activity targeting Palo Alto Networks GlobalProtect login portals, involving 24,000 IP addresses, most of them being classified as suspicious, and 154 as malicious.
GreyNoise believes with high confidence that the latest activity is linked to previous related campaigns, based on recurring TCP/JA4t fingerprints, reuse of the same ASNs (Autonomous System Numbers), and aligned timing of activity spikes across campaigns.
The primary ASN used in these attacks is identified as AS200373 (3xK Tech GmbH), with 62% of the IPs being geolocated to Germany, and 15% to Canada. A second ASN involved in this activity is AS208885 (Noyobzoda Faridduni Saidilhom).
... continue reading