**Attackers Launch Dual Campaign on GlobalProtect Portals and SonicWall APIs**

A sophisticated hacking campaign has been uncovered, targeting GlobalProtect logins and scanning SonicWall APIs since December 2, 2025. The attackers have employed a dual-pronged approach, using over 7,000 IP addresses tied to German hosting provider 3xK GmbH to carry out the attacks.

**The Attackers' Playbook**

According to a report published by threat intelligence firm GreyNoise, the campaign began on December 2 with login attempts and scanning of SonicWall SonicOS API endpoints. The activity was concentrated and targeted two Palo Alto profiles in GreyNoise's Global Observation Grid (GOG). **"On 2 December 2025, GreyNoise observed a concentrated spike of 7,000+ IPs attempting to log into Palo Alto Networks GlobalProtect portals. All activity originated from infrastructure operated by 3xK GmbH and targeted two Palo Alto profiles in GreyNoise’s Global Observation Grid (GOG)."**

GlobalProtect is Palo Alto Networks' VPN and secure remote-access solution, providing users with a protected connection to their organization's network. The attackers' goal appears to be to gain unauthorized access to sensitive information.

**The Connection Between Attacks**

GreyNoise researchers discovered that the campaign targeted two Palo Alto profiles. Notably, the December traffic reused three client fingerprints previously seen in a late-September to mid-October wave. This earlier surge came from four typically non-malicious ASNs (NForce Entertainment, Data Campus, Flyservers, and Internet Solutions & Innovations) which generated over 9 million legitimate HTTP sessions, mostly hitting GlobalProtect portals and authentication endpoints.

The reappearance of identical fingerprints on new infrastructure signals consistent tooling across seemingly separate events. GreyNoise saw a major spike in scans against SonicWall SonicOS APIs on December 3, showing the same three client fingerprints tied to the December 2 GlobalProtect login surge and the September-October brute-force wave. Despite shifting infrastructure and different targets, the identical fingerprints point to the same underlying tooling.

**The Rhythm of Attacks**

Telemetry shows a clear rhythm: intense login and brute-force activity from clean ASNs between late September and mid-October, a slowdown through late November, then the same client resurfacing on 3xK's infrastructure on 2 December to probe Palo Alto portals, followed the next day by SonicWall API scans. This consistent pattern suggests that the attackers are using identical tooling across different campaigns.

**Protecting Against Future Attacks**

GreyNoise Block users can automatically block all associated IPs through provided templates for Palo Alto and SonicWall activity, with enterprise customers able to apply more granular blocklists based on ASNs, JA4, and geography. "Fingerprint-level telemetry exposes cross-infrastructure relationships that defenders might otherwise miss."

**Staying Ahead of the Threat**

As the threat landscape continues to evolve, it's essential for organizations to stay informed about emerging threats and take proactive measures to protect themselves. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest news and updates on cybersecurity threats.

**Technical Details**

* Date: December 2, 2025 * Target: GlobalProtect logins and SonicWall APIs * IPs: Over 7,000 IP addresses tied to German hosting provider 3xK GmbH * Tooling: Consistent fingerprints across seemingly separate events * Infrastructure: Shifting infrastructure and different targets

By understanding the tactics, techniques, and procedures (TTPs) employed by these attackers, organizations can better prepare themselves for future threats and stay one step ahead of the adversary.