Campaign thehackernews.com/2025/04/n…

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals.

“This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,” threat intelligence firm GreyNoise said.

The surge is said to have commenced on March 17, 2025, sustaining at nearly 20,000 unique IP addresses per day before dropping off on March 26. At its peak, 23,958 unique IP addresses are estimated to have participated in the activity. Of these, only a smaller subset of 154 IP addresses has been flagged as malicious.