Coordinated Reconnaissance: 7,000+ IPs Target Palo Alto GlobalProtect and SonicWall API Endpoints
Ddos 
Image: GreyNoise
A sudden surge in mass scanning activity has targeted two major enterprise security vendors, Palo Alto Networks and SonicWall, raising alarms about potential reconnaissance campaigns. Security intelligence firm GreyNoise reports that a significant spike in traffic, originating from a specific hosting provider, has been observed probing for sensitive login portals and API endpoints.
On December 2, 2025, GreyNoise sensors detected a “concentrated spike of 7,000+ IPs” attempting to access Palo Alto Networks GlobalProtect login portals. This activity was notably intense but brief, characterized by a flood of requests aiming to identify accessible VPN gateways.
Just 24 hours later, on December 3, the focus shifted. The same client fingerprints were observed scanning for SonicWall SonicOS API endpoints (/api/sonicos), marking a clear pivot in targeting strategy.
What links these two events is not just timing, but infrastructure. GreyNoise analysis traced all the December 2 activity back to “infrastructure operated by 3xK GmbH”.
More intriguingly, the client “fingerprints”—technical characteristics of the scanning tool—were identical across both the Palo Alto and SonicWall campaigns. This continuity suggests a single actor or toolset is behind the operation, pivoting between vendors to map out vulnerable attack surfaces.
This isn’t the first time these specific fingerprints have been seen. GreyNoise researchers connected this recent activity to a much larger wave of scanning that occurred between late September and mid-October.
During that earlier period, “over 9 million non-spoofable HTTP sessions” were generated from four distinct Autonomous System Numbers (ASNs) not typically associated with malicious activity. The primary target then, as now, was GlobalProtect portals. The re-emergence of these fingerprints on 3xK infrastructure suggests a “tooling continuity across what appear to be separate events,” potentially indicating a persistent actor refining their reconnaissance methods.
Donate