A significant and coordinated cyber campaign has recently escalated, with threat actors launching a massive wave of login attempts and scanning activities against the widely used VPN solutions from Palo Alto Networks and SonicWall. The offensive, which began in early December, originated from over 7,000 distinct IP addresses, all traced back to the infrastructure of a single German IT and hosting company, 3xK GmbH. This concentration of attack traffic points to a well-organized operation aimed at identifying and potentially exploiting weaknesses in corporate and governmental network perimeters. The initial phase of the attack focused heavily on brute-forcing credentials for Palo Alto’s GlobalProtect VPN portals, a critical component for remote access in many large organizations. Subsequently, the actor pivoted their efforts, using the same infrastructure to conduct extensive scanning of SonicWall SonicOS API endpoints, suggesting a broader reconnaissance mission to map out vulnerable enterprise systems for future exploitation. This multi-stage approach highlights the persistent and methodical nature of modern cyber threats targeting essential network infrastructure.
1. The Anatomy of a Two-Pronged Assault
The campaign’s initial vector zeroed in on Palo Alto’s GlobalProtect, the VPN and remote access module integrated into the company’s firewall platform. This technology is a cornerstone for secure connectivity in countless enterprises, government agencies, and service providers, making it a high-value target for malicious actors seeking to gain an initial foothold into protected networks. The attackers deployed a classic but large-scale brute-force strategy, attempting to guess or use stolen credentials to gain unauthorized access. Threat intelligence analysis revealed that these login attempts targeted specific profiles within a passive sensor network designed to capture such malicious activity. Significantly, the surge in attacks utilized three specific client fingerprints that had been previously observed in related scanning campaigns between late September and mid-October. This earlier activity, which generated over nine million non-spoofable HTTP sessions, originated from different network sources but shared the same tactical signature, indicating a consistent operational playbook and a long-term interest in compromising these specific VPN portals.
Following the intense focus on Palo Alto systems, the actor demonstrated tactical agility by redirecting their efforts toward a different but equally critical target: SonicWall SonicOS API endpoints. On December 3rd, the very same three client fingerprints that characterized the GlobalProtect assault reappeared in a widespread scanning operation aimed at SonicOS, the operating system that powers SonicWall’s firewall appliances. These API endpoints are crucial for remote management, configuration, and monitoring, and their exposure can provide attackers with invaluable information about a network’s architecture and security posture. Malicious scanning of these interfaces is often a precursor to more sophisticated attacks, as it allows threat actors to identify specific software versions, discover misconfigurations, and map out infrastructure in preparation for exploiting known or even undisclosed vulnerabilities. This pivot from an active login assault to a passive reconnaissance scan suggests the actor was engaged in a comprehensive intelligence-gathering phase to maximize the potential impact of a future offensive.
2. Tracing the Actor and Fortifying Defenses
The attribution of these disparate activities to a single threat actor is based on a compelling trail of digital evidence. The consistent reuse of the three TCP/JA4t client fingerprints across different timeframes and target sets serves as a strong indicator of a common operator. Further linking the campaigns, researchers observed a significant precursor event in mid-November, where infrastructure from 3xK Tech GmbH was used to probe GlobalProtect VPN portals in over 2.3 million scan sessions. A high concentration of the attacking IP addresses (62%) in that instance were located in Germany and employed the same digital fingerprints seen in the later, more aggressive campaign. This pattern of escalating activity, from initial probing in late 2025 to the large-scale assaults, paints a picture of a patient and methodical adversary methodically testing and preparing their attack infrastructure before launching a full-scale operation. The scale, consistency, and shared technical markers provide high confidence that these events were not isolated incidents but rather interconnected stages of a singular, malicious campaign.
In response to this heightened threat level, Palo Alto Networks confirmed the increased scanning activity aimed at GlobalProtect interfaces but clarified that the events represented credential-based attacks rather than the exploitation of a software vulnerability. The company’s internal telemetry and Cortex XSIAM platform confirmed that the activity did not result in a compromise of its products or services. As a primary defense against such credential abuse, the vendor strongly recommended that all customers enforce Multi-Factor Authentication (MFA) to add a critical layer of security beyond a simple password. The incident served as a powerful reminder of fundamental security best practices. Defenders were advised to actively monitor authentication surfaces for abnormal login velocities and repeated failures, which could indicate an ongoing brute-force attempt. Furthermore, the event highlighted the importance of tracking recurring client fingerprints and implementing dynamic, context-aware blocking mechanisms instead of relying solely on static reputation lists, which can be easily circumvented by sophisticated attackers.
