Hackers have launched a massive campaign against Palo Alto Networks’ GlobalProtect VPN portals, resulting in over 2.3 million malicious sessions since November 14, 2025. This surge, identified by the threat intelligence firm GreyNoise, saw attack activity increase dramatically within 24 hours to a 40-fold peak, representing the highest activity level observed in the past 90 days.
The primary focus of these attacks is the /global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect platforms, with attackers attempting brute-force logins that could grant unauthorized access to corporate networks heavily reliant on these VPNs for secure remote work.GreyNoise researchers are confident the Palo Alto assault is tied to overlapping threat actors involved in earlier malicious campaigns. Key evidence for this attribution includes consistent TCP and JA4t fingerprints across various incidents, the repeated use of shared infrastructure identified by recurring Autonomous System Numbers (ASNs), and synchronized timing in the spikes of attack activity.
These established patterns suggest a sophisticated, possibly state-sponsored or organized cybercrime operation is at work, systematically probing enterprise defenses for weaknesses using proven, iterative tactics.The infrastructure supporting the attack is highly centralized. A significant 62% of the malicious sessions originate from AS200373 (3xK Tech GmbH), a German company, which forms the core backbone of the entire campaign.
An additional 15% of the activity is also tied to this same ASN but is routed through Canadian clusters, a common tactic used for distributed hosting to evade detection. Secondary attack contributions are traced back to AS208885 (Noyobzoda Faridduni Saidilhom), further reinforcing the image of a tightly coordinated, multi-continental cyber footprint.Attackers appear to be geographically focused in their targeting. Login probes are being directed at the United States, Mexico, and Pakistan, with each country facing roughly equal volumes of attempted access.
This specific distribution suggests the threat actors may be prioritizing regions perceived as high-value targets or that they are actively leveraging large stolen credential lists aggregated from diverse sources. The campaign highlights a persistent and concerning issue regarding vulnerabilities in widely adopted network security tools used globally.For security professionals and defensive hunters looking to identify and block this activity, GreyNoise specifically emphasized two JA4t fingerprints that cover all observed malicious sessions. These highly specific identifiers are: $65495\_2-4-8-1-3\_65495\_7$ and $33280\_2-4-8-1-3\_65495\_7$. These signatures are crucial for implementing security controls to mitigate the immediate and ongoing risks posed by the escalating campaign against GlobalProtect VPNs.
Reference:
