Dual-Mode Citrix Gateway Recon Campaign: Residential Proxies and Version Enumeration
Between January 28 and February 2, 2026, GreyNoise observed a coordinated reconnaissance effort targeting Citrix ADC and NetScaler Gateway environments, with activity peaking just before February 1. The campaign totaled 111,834 sessions and used more than 63,000 unique source IPs, with 79% of observed traffic directed at Citrix Gateway honeypots, indicating deliberate targeting rather than routine internet scanning. The operation ran in two coordinated tracks: a broad login panel discovery phase and a smaller, faster version-enumeration phase. The discovery track generated 109,942 sessions against the Citrix login path, mixing one heavy hitter from an Azure Canada address with a large volume of “one request per IP” traffic spread across many consumer ISPs worldwide. That distribution pattern indicates residential proxy rotation designed to blend into normal user traffic and weaken common controls based on geography or reputation. The second track was a short, high-intensity sprint on February 1, when 10 AWS-hosted sources sent 1,892 requests over roughly six hours to a Citrix Endpoint Analysis installer path often used to infer deployed versions. All AWS sources shared an outdated Chrome 50 browser fingerprint and consistent request characteristics, suggesting automated tooling running from cloud infrastructure built for speed and consistency. GreyNoise’s network-layer observations also showed operational separation; residential traffic appeared to originate from Windows systems routed through Linux-based proxies, while the AWS activity aligned with datacenter-grade networking, reinforcing that this was planned and resourced rather than incidental. The focus on version discovery is a practical “what’s exploitable” step and fits a pre-attack pattern, especially given the broader context of recent high-severity Citrix vulnerabilities. Defenders should validate whether any internet-facing Citrix Gateway exposure is truly required, restrict or require authentication for the EPA-related paths and other non-essential endpoints, reduce or eliminate version disclosure through configuration and response handling, and add monitoring for high-signal indicators, including rapid login-path probing, HEAD-heavy request patterns, blackbox-exporter user-agent hits from unknown sources, and concentrated bursts from cloud providers paired with older browser fingerprints.
PhantomVAI: A Stealthy Malware Loader Built on an Old RunPE Tool
PhantomVAI is a newly reported malicious loader being used in campaigns worldwide to quietly install and run follow-on malware on victim systems. It is built on top of an older public RunPE utility, with a core component tied to “Mandark”, a tool originally shared years ago on hacker forums and later mirrored in public code repositories. The loader relies on a technique in which the malicious code runs within a legitimate Windows process, making the activity blend in with normal system behavior. This design reduces the visibility of the initial intrusion and increases the chance that the next-stage malware executes successfully. Reporting indicates that PhantomVAI is not tied to a single operator and appears across multiple campaigns, with consistent building blocks. The name reflects both its stealthy approach and a custom method in its code that triggers the injection step. Evidence suggests PhantomVAI is being offered as “loader-as-a-service”, enabling different criminal groups to pay for access and distribute their own payloads at scale. In observed campaigns, it has delivered a mix of remote access tools and info-stealers, including Remcos, AsyncRAT, XWorm, DarkCloud, SmokeLoader, and Lokibot. Initial delivery commonly relies on phishing that pushes users to run the loader, after which it downloads a payload and injects it into a trusted process to execute. To further lower suspicion, it disguises itself under credible names, including a DLL name associated with a legitimate Windows Task Scheduler project, and it has also been seen posing as AnyDesk. The code contains Portuguese-language terms and includes a virtual-machine detection feature that can stop execution in analysis environments, complicating investigation and delaying detection. Preventative measures include strengthening email and attachment controls, blocking or restricting unauthorized remote admin tools, enforcing application allowlisting for user-writable paths, monitoring for suspicious process injection behavior and unexpected DLL loading under trusted processes, and ensuring endpoint controls and logging are tuned to catch loaders that download payloads and rapidly spawn or hollow processes.
ShadowHS Stealthy Fileless Linux Malware for Post-Compromise Control in Enterprise Environments
Since early 2025, threat actors have increasingly relied on counterfeit software installers, and this campaign uses a fake LINE setup program to trick mostly Chinese-speaking users into running malware. Cybereason observed repeated cases in which the installer, built with an installer framework, mimics legitimate installation steps to lower suspicion while deploying ValleyRAT. Once executed, it launches multiple background processes that change system settings, run hidden code, and fetch additional components from remote servers. One early action disables key Windows security scanning across common drives, reducing the chance that the next-stage payload is detected. The malware also drops and runs supporting files from user profile folders, establishing a reliable foothold while maintaining a consistent user experience with a normal install. The campaign infrastructure and techniques overlap with earlier LetsVPN-themed activity, including scheduled-task persistence, PowerShell-based evasion, and command-and-control routing through Hong Kong-based servers. The infection chain uses stealth techniques to operate inside trusted Windows processes, including injecting malicious code into Explorer and UserAccountBroker to blend into normal activity and maintain a watchdog that re-launches components if they are interrupted. Analysts also observed anti-analysis controls that attempt to detect sandbox environments and halt execution to slow investigation, as well as tampering with digital certificates to make the installer appear legitimate at first glance. The fake installer claims to be signed by “Chengdu MODIFENGNIAO Network Technology Co., Ltd,” yet signature validation fails, and the same abused identity appears across other fake installers for popular tools used in Chinese markets. The command-and-control endpoints tied to this activity align with ValleyRAT (Winos 4.0), a credential-stealing threat previously associated with the Silver Fox APT ecosystem, and the newer samples show upgrades in stealth and persistence compared to earlier public reporting. Organizations should enforce a strict “official-source only” software installation policy, block execution of installers with invalid or unverifiable signatures, and consider allowlisting signed software to prevent user-launched installers from running in the first place. Prioritize monitoring and response for red flags, including Windows Defender exclusion changes, the creation of files under %AppData%\TrustAsia, unusual parent-child process chains involving Explorer and UserAccountBroker with outbound network activity, and any binaries that present the abused publisher name with failed certificate validation.
