A New Wave of Sophisticated Attacks Targets Palo Alto GlobalProtect and SonicWall SonicOS

A surge of cyberattacks has put Palo Alto GlobalProtect and SonicWall SonicOS in the crosshairs, with attackers orchestrating a campaign that’s as sprawling as it is sophisticated. Beginning December 2, 2025, over 7,000 unique IP addresses—primarily from German hosting provider 3xK Tech GmbH—were mobilized to launch a barrage of brute force and credential stuffing attacks, targeting remote access portals that are the digital front doors for countless organizations (BleepingComputer).

What sets this campaign apart isn’t just its scale, but the attackers’ strategic use of clean, reputable infrastructure and custom technical fingerprints. By leveraging hosting providers with no prior malicious history and deploying millions of HTTP sessions with unique client signatures, the threat actors have managed to sidestep traditional IP-based and reputation-based defenses. Their tactics echo the adaptability seen in recent high-profile breaches, where attackers pivot quickly between targets and techniques, making detection and response a moving target for defenders (BleepingComputer).

This campaign is a wake-up call for organizations relying on remote access solutions, highlighting the need for advanced behavioral analytics, robust credential hygiene, and a proactive approach to threat intelligence.

Decoding the Attack: Tactics, Infrastructure, and What Makes This Campaign Tick

Distributed Attack Infrastructure: Scale and Origins

The latest campaign against Palo Alto GlobalProtect and SonicWall SonicOS demonstrates a significant escalation in both scale and sophistication of attack infrastructure. According to BleepingComputer, the operation began on December 2, 2025, and involved more than 7,000 unique IP addresses. This vast array of IPs originated predominantly from infrastructure managed by 3xK Tech GmbH, a German IT company that operates its own BGP network (AS200373) and functions as a hosting provider.

The campaign’s use of a dedicated hosting provider’s infrastructure offers several tactical advantages. First, it enables attackers to rapidly scale their operations, distributing login attempts and scans across thousands of endpoints. This distribution complicates detection and mitigation, as defenders are less able to rely on simple IP-based blocking. Additionally, the use of infrastructure with no prior history of malicious activity, as observed in four ASNs during earlier phases of the campaign, helps attackers evade reputation-based security controls (BleepingComputer).

Geographically, the majority of attacking IP addresses (62%) were located in Germany, with the remainder distributed globally. This localization suggests a deliberate effort to leverage regional hosting resources, possibly to exploit jurisdictional or legal complexities that could hinder rapid takedown or investigation.

Attack Methodology: Brute Force and Credential Stuffing

The attackers’ primary tactic against GlobalProtect portals involved large-scale brute force and credential stuffing attempts. These methods rely on automated tools to systematically attempt logins using extensive lists of usernames and passwords, often harvested from previous data breaches or leaks. The campaign targeted two specific profiles within the sensor network of GreyNoise, a threat intelligence company specializing in passive capture of scanning and exploitation activity.

Over the course of the observed activity, more than 9 million non-spoofable HTTP sessions were generated, primarily directed at GlobalProtect portals. The attackers employed three distinct client fingerprints, previously seen in scanning attempts between late September and mid-October 2025. These fingerprints—unique identifiers based on network and application-layer characteristics—suggest the use of customized or semi-customized attack tools designed to evade detection by mimicking legitimate client behavior (BleepingComputer).

The campaign’s progression also included a pivot to targeting SonicWall SonicOS API endpoints. After the initial wave of login attempts against GlobalProtect, attackers shifted focus to scanning for vulnerable SonicWall devices, indicating a multi-vector approach designed to maximize the likelihood of successful compromise across different remote access technologies.

Technical Fingerprinting: JA4t and TCP Signatures

A notable aspect of the campaign is the use of specific technical fingerprints to track and correlate attack activity. The majority of scan sessions—2.3 million observed in mid-November—were linked to the same TCP/JA4t fingerprints. JA4t is a technique for fingerprinting TLS client behavior, allowing defenders and researchers to identify and group related scanning and attack sessions even when IP addresses change.

The repeated use of consistent JA4t fingerprints across diverse IP addresses and time periods indicates that attackers are leveraging a stable toolkit or automation framework. This consistency aids defenders in attributing activity to a single campaign, despite attempts at obfuscation via IP rotation or distribution across multiple ASNs. It also suggests a level of operational discipline and resource investment, as attackers maintain and deploy custom tools rather than relying solely on commodity malware or open-source scripts.

Evolution of Attack Patterns: From Scanning to Exploitation

The timeline of the campaign reveals a deliberate and adaptive approach to targeting. Initial activity focused on reconnaissance and brute force login attempts against GlobalProtect portals, leveraging the element of surprise and the potential for weak or reused credentials. As defenders responded and visibility increased, attackers shifted tactics, expanding their scope to include SonicWall SonicOS API endpoints.

This evolution demonstrates a flexible operational model, wherein attackers monitor defensive responses and adjust their techniques accordingly. The ability to pivot between different target technologies—while maintaining high volumes of automated activity—reflects a mature threat actor with access to both technical expertise and substantial infrastructure.

Moreover, the campaign’s use of previously unassociated ASNs and hosting providers with clean reputations suggests ongoing efforts to evade blacklisting and reputation-based defenses. Attackers are likely employing reconnaissance to identify under-monitored or newly provisioned infrastructure, further complicating efforts to attribute and disrupt their operations.

Indicators of a Coordinated and Resourceful Threat Actor

Several characteristics of the campaign point to a coordinated and well-resourced threat actor:

• Scale and Automation: The use of over 7,000 IP addresses and millions of HTTP sessions indicates access to significant computational and network resources, likely beyond the reach of opportunistic or amateur attackers.
• Infrastructure Management: The choice of 3xK Tech GmbH, a provider with its own BGP network, suggests deliberate infrastructure procurement and management. Attackers appear to favor providers that offer both scale and a degree of operational anonymity.
• Technical Sophistication: The deployment of custom client fingerprints and consistent JA4t signatures reflects a high degree of technical capability, including the ability to develop or modify attack tools for specific campaigns.
• Operational Adaptability: The observed pivot from GlobalProtect to SonicWall targets, as well as the use of clean ASNs, demonstrates a capacity for rapid adaptation in response to defensive measures.

These factors, taken together, suggest that the campaign is not the work of isolated individuals but rather a coordinated group with the resources and expertise necessary to conduct sustained, multi-vector attacks against enterprise-grade remote access solutions.

Defensive Implications: Challenges and Considerations

The tactics and infrastructure employed in this campaign present several challenges for defenders:

• IP-Based Blocking Limitations: The sheer number and distribution of attacking IPs, many of which originate from reputable hosting providers, render traditional IP-based blocking strategies largely ineffective.
• Detection Evasion: The use of clean ASNs and custom fingerprints allows attackers to bypass reputation-based and signature-based detection mechanisms, necessitating more advanced behavioral analysis and anomaly detection.
• Credential Hygiene: The reliance on brute force and credential stuffing underscores the importance of strong password policies, multi-factor authentication, and regular credential audits.
• Infrastructure Monitoring: Defenders must enhance monitoring of remote access portals and API endpoints, employing both passive and active detection techniques to identify anomalous login attempts and scanning activity.
• Threat Intelligence Integration: The ability to correlate technical fingerprints, such as JA4t signatures, across diverse attack sessions is critical for attributing and responding to coordinated campaigns.

In summary, the current wave of attacks against Palo Alto GlobalProtect and SonicWall SonicOS exemplifies the evolving tactics and infrastructure of modern threat actors. By leveraging distributed hosting resources, custom attack tools, and adaptive operational models, these actors are able to mount large-scale, persistent campaigns that challenge conventional defensive strategies. Ongoing vigilance, advanced detection capabilities, and proactive credential management are essential components of an effective response to this emerging threat landscape.

Final Thoughts

The ongoing assault on Palo Alto GlobalProtect and SonicWall SonicOS is a vivid illustration of how modern threat actors blend scale, sophistication, and adaptability to breach enterprise defenses. With over 9 million HTTP sessions and a toolkit designed to mimic legitimate users, these attackers are not just knocking on the door—they’re trying every key in the lock, all at once (BleepingComputer).

For defenders, the message is clear: traditional security measures like IP blocking and static signatures are no longer enough. Instead, organizations must invest in smarter detection, continuous monitoring, and strong authentication practices. As attackers continue to evolve, so too must our defenses—turning the lessons from this campaign into actionable strategies for a safer digital future.

References

• New wave of VPN login attempts targets Palo Alto GlobalProtect portals. (2025). BleepingComputer. https://www.bleepingcomputer.com/news/security/new-wave-of-vpn-login-attempts-targets-palo-alto-globalprotect-portals/