Table of Contents
Fetching ...

A Longitudinal Measurement Study of Log4Shell Exploitation from an Active Network Telescope

Aakash Singh, Kuldeep Singh Yadav, V. Anil Kumar, Samiran Ghosh, Pranita Baro, Basavala Bhanu Prasanth

TL;DR

The paper analyzes Log4Shell exploitation from December 2021 to October 2025 using a regional network telescope in India, revealing long-term persistence and evolving attacker behavior beyond the initial outbreak. It introduces a multi-stage decoding and detection pipeline to reconstruct TCP streams, identify Log4Shell payloads, and map attack origins to callback infrastructure across years. Key findings include sustained activity with infrastructure consolidation, rising payload obfuscation, and shifts in destination ports and protocols, along with region-specific patterns differing from prior European/NA studies. The work demonstrates the value of long-term, geographically diverse measurement for understanding vulnerability lifecycles and guiding defense, especially for high-impact flaws like Log4Shell.

Abstract

The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.

A Longitudinal Measurement Study of Log4Shell Exploitation from an Active Network Telescope

TL;DR

The paper analyzes Log4Shell exploitation from December 2021 to October 2025 using a regional network telescope in India, revealing long-term persistence and evolving attacker behavior beyond the initial outbreak. It introduces a multi-stage decoding and detection pipeline to reconstruct TCP streams, identify Log4Shell payloads, and map attack origins to callback infrastructure across years. Key findings include sustained activity with infrastructure consolidation, rising payload obfuscation, and shifts in destination ports and protocols, along with region-specific patterns differing from prior European/NA studies. The work demonstrates the value of long-term, geographically diverse measurement for understanding vulnerability lifecycles and guiding defense, especially for high-impact flaws like Log4Shell.

Abstract

The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.
Paper Structure (24 sections, 1 equation, 14 figures, 1 table)

This paper contains 24 sections, 1 equation, 14 figures, 1 table.

Figures (14)

  • Figure 1: Extended timeline of Log4j vulnerability, its exploitation and countermeasures.
  • Figure 2: Scanner countries share
  • Figure 3: Source IPs sending traffic to destination IPs
  • Figure 4: Server hosting countries share
  • Figure 5: Hosting server usage of scanner countries
  • ...and 9 more figures