A Longitudinal Measurement Study of Log4Shell Exploitation from an Active Network Telescope
Aakash Singh, Kuldeep Singh Yadav, V. Anil Kumar, Samiran Ghosh, Pranita Baro, Basavala Bhanu Prasanth
TL;DR
The paper analyzes Log4Shell exploitation from December 2021 to October 2025 using a regional network telescope in India, revealing long-term persistence and evolving attacker behavior beyond the initial outbreak. It introduces a multi-stage decoding and detection pipeline to reconstruct TCP streams, identify Log4Shell payloads, and map attack origins to callback infrastructure across years. Key findings include sustained activity with infrastructure consolidation, rising payload obfuscation, and shifts in destination ports and protocols, along with region-specific patterns differing from prior European/NA studies. The work demonstrates the value of long-term, geographically diverse measurement for understanding vulnerability lifecycles and guiding defense, especially for high-impact flaws like Log4Shell.
Abstract
The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.
