A Longitudinal Measurement Study of Log4Shell Exploitation from a Reactive Network Telescope

TL;DR

This longitudinal study analyzes Log4Shell exploitation over nearly four years from a network telescope in India, revealing persistent activity, infrastructure reuse, payload obfuscation, and regional differences in exploitation behavior.

Contribution

It provides the first long-term, geographically diverse measurement of Log4Shell exploitation, highlighting sustained activity and evolving attack patterns beyond initial disclosure.

Findings

Log4Shell exploitation persists for years after disclosure.

Exploitation activity concentrates around fewer infrastructures over time.

Payload obfuscation and protocol shifts increase during the study period.

Abstract

The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by a reactive network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.