Threat intelligence firm GreyNoise has documented an unprecedented surge in cyberattacks targeting Palo Alto Networks' GlobalProtect VPN portals, with over 2.3 million malicious sessions launched since November 14, 2025. The campaign intensified dramatically within 24 hours, marking a 40-fold increase and representing the highest attack activity level observed in the past 90 days. Security researchers assess with high confidence that coordinated threat actors are behind this sophisticated brute-force operation targeting the /global-protect/login.esp URI across enterprise networks worldwide.
The assault began on November 14, 2025, with initial reconnaissance activity against Palo Alto PAN-OS and GlobalProtect platforms. Within hours, attack intensity escalated exponentially, demonstrating operational coordination and infrastructure readiness suggesting pre-planned campaign execution. By the campaign's peak, threat actors were executing massive parallel brute-force login attempts across thousands of GlobalProtect portals simultaneously.
GreyNoise researchers identified consistent technical indicators confirming attribution to a single threat actor or closely coordinated threat actor group. TCP and JA4t fingerprints remained identical across all observed malicious traffic, indicating standardized tooling and centralized command infrastructure. The temporal patterns of activity spikes matched previous campaigns tracked by GreyNoise, suggesting iterative operations by experienced threat actors refining proven attack methodologies.
The campaign's infrastructure demonstrates remarkable concentration, with 62% of all malicious sessions originating from AS200373 (3xK Tech GmbH), a German-registered autonomous system. This ASN serves as the primary backbone for attack operations, hosting command-and-control infrastructure and proxy networks facilitating credential stuffing attempts.
An additional 15% of traffic from the same ASN appeared to originate in Canada, suggesting distributed hosting architecture designed to evade geographic blocking and complicate attribution. Secondary contributions from AS208885 (Noyobzoda Faridduni Saidilhom) reinforce the coordinated operational footprint spanning multiple continents and hosting providers.
For threat hunting and defensive blocking, GreyNoise highlighted two JA4t fingerprints encompassing all related activity:
M65495_2-4-8-1-3_65495_7
33280_2-4-8-1-3_65495_7
Security teams can use these signatures to identify and block malicious traffic associated with this campaign regardless of source IP variability.
Attack targets demonstrate wide geographic distribution, with the United States, Mexico, and Pakistan receiving roughly equivalent attack volumes. This pattern suggests either indiscriminate scanning across global IP ranges or strategic targeting leveraging stolen credential databases sourced from diverse geographic regions and industry verticals.
The geographic spread may also reflect attackers probing for weakest-link organizations—targeting subsidiaries, regional offices, or international partners with potentially lower security maturity than primary corporate infrastructure.
GreyNoise research has identified a troubling historical correlation: brute-force attack surges against VPN infrastructure typically precede vulnerability disclosures by approximately six weeks. This pattern was first documented in July 2025 when massive Fortinet VPN brute-force campaigns preceded critical vulnerability announcements affecting those platforms.
Similar attack spikes against Palo Alto GlobalProtect portals occurred in April and October 2025, both preceding security advisories and vulnerability disclosures affecting PAN-OS and GlobalProtect systems. If this pattern holds, the current 2.3 million-attack surge may signal an upcoming zero-day or critical vulnerability disclosure within the next month.
Organizations should treat this attack surge not merely as credential stuffing but as potential reconnaissance preceding exploitation of undisclosed vulnerabilities in GlobalProtect infrastructure.
While the current campaign appears to focus on brute-force credential attacks rather than exploiting specific vulnerabilities, organizations must ensure systems are patched against recently disclosed GlobalProtect vulnerabilities:
CVE-2025-0108 (CVSS 7.8): Authentication bypass in PAN-OS management interface, actively exploited and added to CISA's Known Exploited Vulnerabilities catalog.
CVE-2025-2183 (CVSS 4.5): Improper certificate validation in GlobalProtect App enabling privilege escalation on Windows and Linux systems.
CVE-2025-0141 (CVSS 5.7): Privilege escalation vulnerability in GlobalProtect App affecting macOS, Windows, and Linux deployments.
CVE-2025-0140 (CVSS 4.3): Non-admin users can disable GlobalProtect App on macOS systems, circumventing endpoint security controls.
Organizations deploying Palo Alto GlobalProtect VPN infrastructure should immediately implement layered defensive measures:
Enforce Multi-Factor Authentication: Require MFA for all VPN access, eliminating the efficacy of credential-stuffing attacks even with valid username-password combinations.
Restrict Management Interface Access: Limit GlobalProtect management interfaces to trusted internal IP ranges, preventing internet-exposed attack surfaces.
Monitor for Anomalous Activity: Track login attempts from suspicious ASNs (particularly AS200373 and AS208885), unusual geographic locations, and failed authentication patterns.
Implement Rate Limiting: Configure authentication endpoint rate limiting to throttle brute-force attempts and trigger automated blocking after threshold violations.
Deploy Threat Intelligence Blocking: Utilize GreyNoise Block solution or equivalent threat intelligence feeds to proactively block IPs associated with this campaign.
Audit Exposed Portals: Identify all internet-facing GlobalProtect portals and assess whether exposure is operationally necessary or can be restricted through network segmentation.
The 2.3 million-attack campaign underscores that remote access infrastructure remains a prime vector for initial access operations supporting ransomware deployment, corporate espionage, and data exfiltration. As enterprises continue relying on VPN technology for remote work, threat actors will persistently target these critical access points. The potential six-week warning before vulnerability disclosure demands urgent defensive posture hardening across all Palo Alto GlobalProtect deployments.