The targeted portals were geographically distributed, primarily in the United States, Pakistan, and Mexico, with the traffic almost exclusively originating from IP space linked to a single German hosting provider, 3xk GmbH. The login attempts followed a highly uniform pattern, reusing common usernames and passwords and even adopting a browser-like Firefox user agent string.
This is a telltale sign of scripted credential probes rather than opportunistic scanning, the researchers noted.
“This consistency of the user agent, request structure, and timing suggests scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals, rather than interactive access attempts or vulnerability exploitation,” they said.
