A recent series of authentication attacks against Palo Alto Networks GlobalProtect portals and SonicWall SonicOS API endpoints has been observed that appears to stem from a single threat actor reusing the same tooling across multiple hosting providers.
The finding comes from new telemetry published by threat-intelligence firm GreyNoise last week, which observed the latest activity on Dec. 2–3, 2025.
GreyNoise analysts reported more than 7,000 IP addresses attempting to log into GlobalProtect portals on Dec. 2. All activity originated from infrastructure operated by Germany-based 3xK GmbH.
While the surge was short-lived, it mirrored a larger wave of login and brute-force attempts seen between late September and mid-October. That earlier campaign generated more than 9 million non-spoofable HTTP sessions from “clean” autonomous systems (ASNs) not typically associated with malicious behavior.
Identical Fingerprints Across Changing Infrastructure
The key link between these events is a set of three identical client fingerprints. According to GreyNoise, these fingerprints appeared first in the September–October activity, then resurfaced in the Dec. 2 GlobalProtect spike (this time from different infrastructure) and again on Dec. 3 during scanning against SonicWall SonicOS API endpoints.
For context, fingerprinting refers to identifying unique characteristics of a client device or toolset, often revealing shared code or automation frameworks despite changes in hosting providers or IP addresses.
The campaign exhibits a clear cadence: high-volume login attempts in late September through mid-October, reduced traffic over late November, a GlobalProtect-focused resurgence on Dec. 2, and SonicWall-focused scanning the following day.
While the targeted technologies differ, the fingerprints suggest a common operator refining reconnaissance and credential-testing workflows.
GreyNoise recommended defenders monitor authentication surfaces for unusual velocity, track recurring fingerprints to identify cross-infrastructure activity, and favor dynamic, context-aware blocking over static reputation lists.
Additional technical details, including JA4T fingerprints, will be included in the firm’s upcoming At The Edge intelligence brief.
