Dual-Mode Citrix Gateway Reconnaissance: When Residential Proxies Meet Version Hunting

### Executive summary A coordinated reconnaissance campaign (111,834 sessions from 63,000+ source IPs) targeted Citrix ADC/Netscaler gateways between 2026-01-28 and 2026-02-02 to discover login panels and enumerate versions (notably accessing /epa/scripts/win/nsepa_setup.exe). The activity used residential proxy rotation and an AWS-hosted version disclosure sprint, showing operational sophistication and strong indicators of pre-attack infrastructure mapping.