GreyNoise has detected a significant surge in login scanning activity aimed at Palo Alto Networks PAN-OS GlobalProtect portals. In the last month, nearly 24,000 unique IP addresses have been observed attempting to gain access, suggesting a coordinated effort to probe network defenses and identify potential vulnerabilities.
Key observations
The spike began1 on March 17, 2025, peaking at almost 20,000 unique IPs per day and remaining steady until March 26 before declining. The majority of this activity is classified as suspicious (23,800 IPs), with a smaller subset flagged as malicious (154 IPs). The consistency of this activity indicates a planned approach to testing network defenses, which could pave the way for exploitation.
A substantial portion of the traffic is associated with 3xK Tech GmbH (20,010 IPs) under ASN200373, with other contributors including PureVoltage Hosting Inc., Fast Servers Pty Ltd., and Oy Crea Nova Hosting Solution Ltd.
GreyNoise has identified three JA4h hashes linked to the login scanner tool:
- po11nn11enus_967778c7bec7_000000000000_000000000000
- po11nn09enus_fb8b2e7e6287_000000000000_000000000000
- po11nn060000_c4f66731b00d_000000000000_000000000000
These hashes are indicative of connection patterns associated with the login scanner tool, enabling GreyNoise to correlate separate login attempts originating from the same toolkit.
Source and destination analysis
The activity primarily originates from the United States (16,249) and Canada (5,823), followed by Finland, Netherlands, and Russia. The majority of traffic targets systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore.
Organizations using Palo Alto Networks systems should review their March logs and conduct a detailed threat hunt to identify any signs of compromise.
- https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity ↩︎