Analysis Summary

Since November 14, 2025, Palo Alto Networks’ GlobalProtect VPN portals have been targeted by over 2.3 million malicious sessions, marking the highest level of activity in the past 90 days. Researcher threat intelligence observed that this surge intensified rapidly within 24 hours, reaching a 40-fold increase, primarily targeting the /global-protect/login.esp URI. The attacks consist mainly of brute-force login attempts, which could expose corporate networks to unauthorized access and emphasize the growing risks faced by remote access systems worldwide.

Analysis indicates that the surge is linked to coordinated threat actors with ties to previous campaigns, suggesting a sophisticated operation that may involve state-sponsored or cybercrime actors. Evidence includes consistent TCP and JA4t fingerprints, shared infrastructure via recurring Autonomous System Numbers (ASNs), and synchronized activity spikes. The attackers’ tactics demonstrate iteration on proven methods to probe weaknesses in enterprise defenses, signaling high-level planning and operational capability.

The campaign’s infrastructure is highly concentrated, with 62% of sessions originating from AS200373 (3xK Tech GmbH) in Germany, forming the backbone of the assault. Another 15% is routed through the same ASN but via Canadian clusters, while secondary contributions from AS208885 (Noyobzoda Faridduni Saidilhom) further highlight the distributed and coordinated nature of this operation. Geographically, the attacks have largely focused on the United States, Mexico, and Pakistan, indicating either targeting of high-value regions or exploitation of stolen credential lists from multiple sources.

Organizations are advised to audit exposed GlobalProtect portals, enforce multi-factor authentication, and monitor for key indicators, including the JA4t fingerprints 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7. Historical trends observed by Researcher show that VPN brute-force surges often precede vulnerability disclosures, emphasizing the need for proactive defenses. With remote access remaining a prime vector for ransomware and espionage, this 2.3 million-session wave underlines the critical importance of hardening VPN configurations and maintaining vigilant monitoring amid increasingly sophisticated threats.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Gain Access

Remediation

• Check all exposed GlobalProtect VPN login pages for vulnerabilities.
• Require multi-factor authentication (MFA) for all VPN users to prevent unauthorized access even if credentials are stolen.
• Watch for JA4t fingerprints 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7 in your network logs.
• Configure rate limiting or account lockouts to reduce the effectiveness of brute-force attacks.
• Ensure PAN-OS and GlobalProtect are patched with the latest security updates.
• Restrict access to sensitive internal resources behind VPN to minimize potential damage.
• Review network logs regularly to detect suspicious login attempts from unusual geographies or IPs.
• Subscribe to updated threat intelligence feeds to stay aware of ongoing attack campaigns targeting VPNs.