Executive Summary
- Over 2.3 million brute-force login attempts have targeted Palo Alto Networks’ GlobalProtect VPNs since November 14, a 40-fold increase in activity.
- The attacks are attributed to a coordinated group using infrastructure primarily based in Germany, according to threat intelligence firm GreyNoise.
- Geographic targets appear concentrated in the United States, Mexico, and Pakistan, with attackers probing for weaknesses in corporate remote access systems.
- Organizations are advised to audit exposed VPN portals, enforce multi-factor authentication, and monitor for specific technical indicators to mitigate risk.
A massive and coordinated brute-force campaign has targeted Palo Alto Networks’ GlobalProtect VPN portals with over 2.3 million malicious login attempts since November 14, according to a report from threat intelligence firm GreyNoise. The surge in activity, which represents the highest level observed in 90 days, aims to exploit remote access systems to gain unauthorized entry into corporate networks.
Unprecedented Surge in Activity
Researchers at GreyNoise noted a dramatic escalation in the attacks, which intensified by 40-fold within a 24-hour period. The malicious sessions are primarily focused on the /global-protect/login.esp URI, a common endpoint for Palo Alto PAN-OS and GlobalProtect platforms. This campaign highlights the persistent vulnerabilities in widely used network security infrastructure, particularly as organizations continue to rely on VPNs for remote work.
Coordinated Threat Actor Infrastructure
GreyNoise attributed the assault to a sophisticated and overlapping group of threat actors, citing strong evidence from shared technical fingerprints and infrastructure. The firm identified consistent TCP and JA4t fingerprints across this and previous incidents, suggesting a well-organized operation. The majority of the attack traffic, approximately 62%, originates from a single Autonomous System Number (ASN) traced to 3xK Tech GmbH, a German company. An additional 15% is routed through Canadian clusters associated with the same ASN.
Historical Patterns and Mitigation
This incident follows a pattern previously observed with attacks on other network devices, where a spike in brute-force attempts often precedes the disclosure of a new vulnerability. Similar surges targeted Palo Alto systems in April and October 2025. In response to the ongoing threat, security experts recommend that organizations immediately audit any exposed GlobalProtect portals, enforce multi-factor authentication (MFA), and actively monitor for the specific technical indicators identified in the report to prevent potential breaches.