{
	"id": "134e4b37-17f2-4fbf-a021-22ebc674731b",
	"created_at": "2026-04-06T00:07:52.671882Z",
	"updated_at": "2026-04-10T03:20:16.317274Z",
	"deleted_at": null,
	"sha1_hash": "0c47ea7dfbd72e2b83428bf5319884fffd73a0fd",
	"title": "Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 815610,
	"plain_text": "Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at\r\nRisk\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 19:33:16 UTC\r\nOn December 9th, 2021, reports surfaced about a new zero-day vulnerability, termed Log4j (Log4Shell),\r\nimpacting Minecraft servers. Countless millions of devices instantly became at risk of attack, and Log4j ranked\r\namong the worst vulnerabilities yet seen. The fear of the Log4j security flaw has once again returned as threat\r\nactors have started to exploit vulnerable VMWare Horizon Servers. \r\nLog4j is a logging framework for java applications and has been an integral part of many programs since the mid-1990s. Cloud storage companies like Google, Amazon, and Microsoft, which are the digital hotline for millions of\r\nother applications, have been hit hard. The same goes for other IT giants like IBM, Oracle, and Salesforce, as well\r\nas thousands of Internet-connected devices like televisions and security cameras.\r\nTrouble on the VMWare Horizon\r\nDecember 2021 was challenging for many vendors rushing to patch log4j vulnerabilities and it wasn’t clear if this\r\npatching cycle had an end. More recently, attackers have been scanning the web for easily accessible java services\r\nand attacks by known and unknown threat actors against popular distributed applications vulnerable to Log4j\r\nescalated, including several targeting VMware Horizon servers.\r\nVMware Horizon server versions 7.x and 8.x are susceptible to two of the Log4j vulnerabilities (CVE-2021-44228\r\nand CVE-2021-45046). United Kingdom National Health Service digital experts stated that an attack group has\r\nbeen exploiting these flaws to install webshells on compromised servers. This allows them to create advanced\r\npersistent threats (APTs) that move laterally to spread infections. Using webshells has become a popular tactic\r\nemployed by threat actors as it’s an easy way to land APTs on internet servers containing sensitive data. Attackers\r\nleverage small, relatively simple files that often don’t trigger alerts with traditional next generation antivirus\r\n(NGAV), endpoint protection platforms (EPP), or endpoint detection and response (EDR). If an attacker can\r\nbypass these defenses and gain access to a server, they can use remote access to execute further commands. The\r\nLog4j saga has opened the door to these attackers, who have installed webshells after exploiting flaws in the\r\nlogging service.\r\nPerpetrators have exploited the Apache Tomcat service running on vulnerable VMware Horizon servers by using\r\nspecific PowerShell commands spawned from the Tomcat service. Attackers then restart the VMBLastSG service\r\nto initiate a listener that communicates with the command-and-control server. The listener runs commands from\r\nthe server that contain a specific hardcoded key. This process is then used to establish persistent communications\r\nwith a command and control server that executes ransomware or other malicious activities. Various lone actors,\r\nAPT groups, and cybercrime organizations have exploited the Log4j flaws, which have led to ransomware attacks.\r\nhttps://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nPage 1 of 5\n\nMorphisec Labs identified the active VMWare Horizon Tomcat service exploitation through the log4j\r\nvulnerability that started on January 3, 2022. Similar to other vendors, we released an update for known indicators\r\nof compromise (IOCs) as we identified these within customer environments.\r\nFollowing an exploitation of the Tomcat service (ws_TomcatService.exe), attackers executed the powershell.exe\r\nprocess, and in some cases, as reported by Microsoft, attackers deployed Cobalt Strike backdoors following an\r\nexploitation of a McAfee application mfeann.exe side loading dll vulnerability. \r\nOrganizations downloaded the McAfee application into different persistent folders, such as Userspublic, \r\nprogramdata, windowshelp directories on the virtualization servers (persistent across profiles), together with the\r\nCobalt Strike loader that was downloaded in the same folder and loaded by the McAfee process as it was executed\r\n(LockDown.dll).\r\nIn some instances, Morphisec observed that the same attackers tried to drop these files directly into the VMware\r\nfolder.\r\nhttps://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nPage 2 of 5\n\nOther attackers, as reported by Rapid7, have downloaded Cobalt directly into the PowerShell process, which was\r\nidentified and prevented by Morphisec’s patented Automated Moving Target Defense (AMTD) technology.\r\nIndicators of Compromise (IOCs)\r\nIPs\r\nLockDown.dll\r\nmfeann.exe\r\n(McAfee)\r\nWe Are Here to Help\r\nThese new vulnerabilities are bad news, but the good news for Morphisec customers is that our AMTD technology\r\nprevents the execution of these backdoor attacks. Leading analysts, such as Gartner, are calling AMTD “the future\r\nof cyber” as it can uniquely detect and stop these types of zero-day attacks that often bypass NGAV, EDR, and\r\nother defenses. Schedule a demo today to see why Gartner is championing AMTD. \r\nAbout the author\r\nhttps://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nPage 3 of 5\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nPage 4 of 5\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nhttps://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk"
	],
	"report_names": [
		"log4j-exploit-hits-again-vulnerable-vmware-horizon-servers-at-risk"
	],
	"threat_actors": [],
	"ts_created_at": 1775434072,
	"ts_updated_at": 1775791216,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c47ea7dfbd72e2b83428bf5319884fffd73a0fd.pdf",
		"text": "https://archive.orkl.eu/0c47ea7dfbd72e2b83428bf5319884fffd73a0fd.txt",
		"img": "https://archive.orkl.eu/0c47ea7dfbd72e2b83428bf5319884fffd73a0fd.jpg"
	}
}