pith. sign in

arxiv: 2601.04281 · v2 · pith:6MXICQKNnew · submitted 2026-01-07 · 💻 cs.CR

A Longitudinal Measurement Study of Log4Shell Exploitation from a Reactive Network Telescope

Aakash Singh , Kuldeep Singh Yadav , V. Anil Kumar , Samiran Ghosh , Pranita Baro , Basavala Bhanu Prasanth This is my paper

Pith reviewed 2026-05-21 16:03 UTC · model grok-4.3

classification 💻 cs.CR
keywords Log4Shellnetwork telescopelongitudinal measurementvulnerability exploitationscanning activitypayload obfuscationcybersecurity measurement
0
0 comments X

The pith

Log4Shell exploitation persists for years after disclosure with activity concentrating on fewer recurring infrastructures and more obfuscated payloads.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tracks Log4Shell-related scanning and exploitation traffic from December 2021 through October 2025 using a reactive network telescope located in India. It establishes that exploitation does not fade quickly but instead continues for several years, with scanning gradually narrowing to a smaller group of repeated scanner and callback sources while payloads grow more obfuscated and protocol or port choices shift. The work also compares these patterns against earlier shorter-term studies from Europe and the United States to separate shared temporal trends from vantage-point differences. A sympathetic reader would care because the findings indicate that critical vulnerabilities maintain long lifecycles and that single-region or short-duration measurements can miss important sustained behaviors.

Core claim

Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. Comparative analysis validates both correlated temporal trends and systematic differences attributable to vantage point placement and coverage.

What carries the argument

Longitudinal traffic capture by a reactive network telescope in India that records Log4Shell-related packets from December 2021 to October 2025.

If this is right

  • Exploitation activity remains detectable and meaningful well after the initial disclosure wave.
  • Attacker infrastructure reuse increases over time as scanning concentrates on fewer sources.
  • Payload construction evolves toward greater obfuscation as the vulnerability ages.
  • Protocol and port preferences for exploitation attempts change across the multi-year period.
  • Long-term observation from multiple geographic vantage points is required to map the full lifecycle of a major vulnerability.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Similar long-term concentration and obfuscation patterns may appear in studies of other remote-code-execution vulnerabilities if observed from diverse global telescopes.
  • Regional targeting differences could be isolated by comparing Indian, European, and North American telescope data on the same vulnerability.
  • Increased obfuscation over years suggests attackers are responding to improved detection signatures and may continue to adapt in future incidents.

Load-bearing premise

The telescope in India records a representative sample of global Log4Shell traffic so that observed changes over time and differences from prior studies mainly reflect real exploitation evolution rather than local filtering or coverage gaps.

What would settle it

Finding that Log4Shell activity drops to near zero after 2023 or shows no concentration and no increase in obfuscation when measured from several additional independent network telescopes would falsify the persistence and evolution claims.

Figures

Figures reproduced from arXiv: 2601.04281 by Aakash Singh, Basavala Bhanu Prasanth, Kuldeep Singh Yadav, Pranita Baro, Samiran Ghosh, V. Anil Kumar.

Figure 2
Figure 2. Figure 2: Scanner countries share From 2023 onward, scanning activity originating from Europe became increasingly prominent. The pronounced contribution from Poland in 2023 can be attributed to three source IP addresses operating within a single Autonomous System Number (ASN). In contrast, the elevated volumes observed for Bulgaria in 2024 and Germany in 2025 each originated from a single IP address, again associate… view at source ↗
Figure 3
Figure 3. Figure 3: Source IPs sending traffic to destination IPs [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Hosting server usage of scanner countries [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Unique cumulative server IPs and ASNs [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Traffic received at destination ports Subsequently, we examined the top 10 TCP destination ports on which traffic is received to understand how scanning behavior manifests at the service level. As seen in [PITH_FULL_IMAGE:figures/full_fig_p008_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Distribution of scanner reuse by host lifetime. [PITH_FULL_IMAGE:figures/full_fig_p008_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: Time series plot of monthly Log4j attack count [PITH_FULL_IMAGE:figures/full_fig_p009_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Monthly distribution of counts for the years [PITH_FULL_IMAGE:figures/full_fig_p009_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Average growth slope Av(Y ) fitting: red dots represent the yearly observed values of Av(Y ), blue curve shows the fitted logistic function, and the blue shaded region indicates the 95% confidence interval (CI). for basic inference of this average growth slope (see [PITH_FULL_IMAGE:figures/full_fig_p010_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Log4j Payload Distribution based on Severity [PITH_FULL_IMAGE:figures/full_fig_p010_14.png] view at source ↗
read the original abstract

The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by a reactive network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents a longitudinal measurement study of Log4Shell exploitation traffic observed by a reactive network telescope in India from December 2021 to October 2025. It claims that exploitation persists for several years, with activity concentrating around a smaller set of recurring scanner and callback infrastructures, an increase in payload obfuscation, and shifts in protocol and port usage. A comparative analysis with prior studies from Europe and the US validates correlated temporal trends and attributes systematic differences to the vantage point's placement and coverage.

Significance. If the observational findings hold, this work provides valuable long-term and geographically diverse insights into the evolution of exploitation behaviors following a major vulnerability disclosure. It underscores the importance of sustained measurement efforts beyond the initial outbreak phase and highlights ongoing risks associated with Log4Shell, contributing to the broader understanding of software vulnerability lifecycles in network security research.

major comments (2)
  1. [§3 and §4.2] The description of traffic classification rules, signature matching for obfuscated JNDI payloads, false-positive handling, and stability of the detection pipeline over 2021–2025 is insufficient (see §3 Methodology and §4.2 Payload Analysis). This directly affects the load-bearing claim of an 'increase in payload obfuscation' and protocol/port shifts, as unmeasured changes in filtering could produce artifacts rather than behavioral evolution.
  2. [§4 and §5] The single Indian reactive telescope vantage point, combined with absence of reported data volumes, statistical tests, or confidence intervals for trends (see §4 Results and §5 Comparative Analysis), makes it difficult to attribute differences from prior EU/US studies solely to geography rather than methodological variations in reactivity or classification.
minor comments (2)
  1. [§4.1] Clarify the exact criteria used to identify 'recurring scanner and callback infrastructures' and how infrastructure reuse was quantified over time.
  2. [Abstract] The abstract could include at least one key quantitative metric (e.g., total unique sources or traffic volume) to ground the qualitative claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which have helped us improve the clarity and rigor of our manuscript. Below, we provide point-by-point responses to the major comments and indicate the revisions made.

read point-by-point responses

  1. Referee: [§3 and §4.2] The description of traffic classification rules, signature matching for obfuscated JNDI payloads, false-positive handling, and stability of the detection pipeline over 2021–2025 is insufficient (see §3 Methodology and §4.2 Payload Analysis). This directly affects the load-bearing claim of an 'increase in payload obfuscation' and protocol/port shifts, as unmeasured changes in filtering could produce artifacts rather than behavioral evolution.

    Authors: We agree that the original description of the traffic classification and detection pipeline was insufficiently detailed. In the revised version, we have substantially expanded §3 (Methodology) to provide explicit rules for traffic classification, including the signature matching techniques used for identifying obfuscated JNDI payloads, strategies for handling false positives (e.g., multi-stage verification and manual validation samples), and an analysis of the pipeline's stability across the multi-year period. These additions demonstrate that the observed trends in payload obfuscation and protocol/port usage are not artifacts of changing filters but reflect genuine evolution in exploitation behavior. revision: yes

  2. Referee: [§4 and §5] The single Indian reactive telescope vantage point, combined with absence of reported data volumes, statistical tests, or confidence intervals for trends (see §4 Results and §5 Comparative Analysis), makes it difficult to attribute differences from prior EU/US studies solely to geography rather than methodological variations in reactivity or classification.

    Authors: We acknowledge the challenges posed by relying on a single vantage point and the need for greater transparency in data reporting. In the revised manuscript, we have added detailed data volumes in §4, including total observed packets, unique source IPs, and daily averages over the study period. For trends, we have incorporated basic statistical summaries and confidence intervals where trends are quantified. However, we maintain that systematic differences can be attributed in part to vantage point characteristics, as supported by the correlated temporal trends with prior studies; we have expanded §5 to more explicitly discuss potential methodological variations and the limitations of cross-study comparisons, while emphasizing the value of geographic diversity. revision: partial

Circularity Check

0 steps flagged

No circularity: direct observational measurement study with no derivations or fitted predictions

full rationale

This is a longitudinal observational study of network traffic captured by a reactive telescope. The central claims rest on empirical collection and classification of Log4Shell-related packets from December 2021 to October 2025, including counts of scanners, callback infrastructures, payload features, and protocol/port distributions. No equations, parameter fitting, predictive models, or derivation chains appear in the described analysis. Comparisons to prior European/U.S. studies are presented as external benchmarks rather than self-referential inputs. The methodology (signature matching, payload parsing) is standard for measurement papers and does not reduce any result to its own inputs by construction. Self-citations, if present, are not load-bearing for any claimed derivation.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The paper is an empirical network measurement study whose claims rest on assumptions about traffic attribution and vantage-point representativeness rather than new mathematical axioms or invented entities.

axioms (1)
  • domain assumption Network traffic observed by the reactive telescope can be reliably classified as Log4Shell exploitation based on payload and behavioral signatures.
    The study attributes observed scanning and callback activity to Log4Shell without detailing exact detection heuristics in the abstract.

pith-pipeline@v0.9.0 · 5784 in / 1296 out tokens · 61130 ms · 2026-05-21T16:03:07.869852+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

  • IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear
    ?
    unclear

    Relation between the paper passage and the cited Recognition theorem.

    Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Human-Certified Module Repositories for the AI Age

    cs.ET 2026-03 unverdicted novelty 4.0

    Human-Certified Module Repositories (HCMRs) are proposed as a new architectural model blending human oversight with automated analysis to certify reusable software modules for safe assembly by humans and AI agents.

Reference graph

Works this paper leans on

23 extracted references · 23 canonical work pages · cited by 1 Pith paper

  1. [1]

    An empirical study of usages, updates and risks of third-party libraries in java projects,

    Y. Wang, B. Chen, K. Huang, B. Shi, C. Xu, X. Peng, Y. Wu, and Y. Liu, “An empirical study of usages, updates and risks of third-party libraries in java projects,” in 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 2020, pp. 35–45

    work page 2020

  2. [2]

    Analyzing and evaluating critical cyber security challenges faced by vendor organizations in software development: SLR based approach,

    A. W. Khan, S. Zaib, F. Khan, I. Tarimer, J. T. Seo, and J. Shin, “Analyzing and evaluating critical cyber security challenges faced by vendor organizations in software development: SLR based approach,” IEEE access, vol. 10, pp. 65 044–65 054, 2022

    work page 2022

  3. [3]

    Smallworld with high risks: a study of security threats in the npm ecosystem,

    M. Zimmermann, C.-A. Staicu, C. Tenny, and M. Pradel, “Smallworld with high risks: a study of security threats in the npm ecosystem,” in Proceedings of the 28th USENIX Confer- ence on Security Symposium, ser. SEC’19. USA: USENIX Association, 2019, p. 995–1010

    work page 2019

  4. [4]

    A survey on supply chain security: Application areas, security threats, and solution architectures,

    V. Hassija, V. Chamola, V. Gupta, S. Jain, and N. Guizani, “A survey on supply chain security: Application areas, security threats, and solution architectures,” IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6222–6246, 2020

    work page 2020

  5. [5]

    2021 Cybersecurity Impact Report,

    IronNet, “2021 Cybersecurity Impact Report,” IronNet, Inc., Tech. Rep., June 2021, includes discussion of the SolarWinds supply chain attack. [Online]. A vailable: https: //www.ironnet.com/hubfs/IronNet-2021-Cybersecurity-Impac t-Report-June2021.pdf

    work page 2021

  6. [7]

    Log4j 2 - apache log4j,

    Apache Software Foundation, “Log4j 2 - apache log4j,” Online, 2021, https://logging.apache.org/log4j/2.x/

    work page 2021

  7. [8]

    Unmasking log4j’s vulnerability: protecting systems against exploitation through ethical hacking and cyberlaw perspectives,

    F. Maulana, H. Fajri, M. F. Safitra, and M. Lubis, “Unmasking log4j’s vulnerability: protecting systems against exploitation through ethical hacking and cyberlaw perspectives,” in 2023 9th international conference on computer and communication engineering (ICCCE). IEEE, 2023, pp. 311–316

    work page 2023

  8. [9]

    Defense-in-depth security strategy in LOG4J vulnerability analysis,

    S. Feng and M. Lubis, “Defense-in-depth security strategy in LOG4J vulnerability analysis,” in 2022 International Confer- ence Advancement in Data Science, E-learning and Information Systems (ICADEIS). IEEE, 2022, pp. 01–04

    work page 2022

  9. [10]

    Log4shell exploits now used mostly for DDoS botnets, cryptominers,

    B. Toulas, “Log4shell exploits now used mostly for DDoS botnets, cryptominers,” [Online]. A vailable: https://www.bl eepingcomputer.com/news/security/log4shell-exploits-now-use d-mostly-for-ddos-botnets-cryptominers/ , Mar. 2022

    work page 2022

  10. [11]

    Impact of Log4Shell Bug was Overblown, Say Researchers,

    P. Muncaster, “Impact of Log4Shell Bug was Overblown, Say Researchers,” [Online]. A vailable: https://www.infosecurity-m agazine.com/news/impact-log4shell-overblown/ , 2023

    work page 2023

  11. [12]

    MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations,

    Microsoft, “MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations,” [Online]. A vailable: https://www.microsoft.com/en- us/security/blo g/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-u npatched-systems-to-target-israeli-organizations/ , aug 2022

    work page 2022

  12. [13]

    North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies,

    TechCrunch, “North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies,” [Online]. A vailable: https://techcrunch.com/2022/09/08/north-korea-lazarus-uni ted-states-energy/ , Sep. 2022

    work page 2022

  13. [14]

    The UCSD Network Telescope,

    CAIDA, “The UCSD Network Telescope,” [Online]. A vailable: https://www.caida.org/projects/network_telescope/ , 2012, accessed: May 2022

    work page 2012

  14. [15]

    The Log4j incident: a comprehensive measurement study of a critical vulnerability,

    R. Hiesgen, M. Nawrocki, T. C. Schmidt, and M. Wählisch, “The Log4j incident: a comprehensive measurement study of a critical vulnerability,” IEEE Transactions on Network and Service Management, 2024

    work page 2024

  15. [16]

    Log4shell: Redefining the web attack surface,

    D. Everson, L. Cheng, and Z. Zhang, “Log4shell: Redefining the web attack surface,” in Proc. Workshop Meas., Attacks, Defenses Web (MADWeb), 2022, pp. 1–8

    work page 2022

  16. [17]

    Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope,

    R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and M. Wählisch, “Spoki: Unveiling a New Wave of Scanners through a Reactive Network Telescope,” in 31st USENIX Secu- rity Symposium (USENIX Security 22). Boston, MA: USENIX Association, Aug. 2022, pp. 431–448

    work page 2022

  17. [18]

    The Race to the Vulnerable: Measuring the Log4j Shell Incident,

    R. Hiesgen, M. Nawrocki, T. C. Schmidt, and M. Wählisch, “The Race to the Vulnerable: Measuring the Log4j Shell Incident,”

    work page

  18. [19]

    A vailable: https://arxiv.org/abs/2205.02544

    [Online]. A vailable: https://arxiv.org/abs/2205.02544

    work page arXiv

  19. [20]

    Log4Shell exploits now used mostly for DDoS botnets, cryptominers,

    B. Toulas, “Log4Shell exploits now used mostly for DDoS botnets, cryptominers,” 2022, accessed: 2025-12-16. [Online]. A vailable: https://www.bleepingcomputer.com/news/security /log4shell-exploits-now-used-mostly-for-ddos-botnets-cryptom iners/

    work page 2022

  20. [21]

    Is the Impact of Log4Shell Overblown?

    P. Muncaster, “Is the Impact of Log4Shell Overblown?” 2023, accessed: 2025-12-16. [Online]. A vailable: https://www.infose curity-magazine.com/news/impact-log4shell-overblown/

    work page 2023

  21. [22]

    Unravel- ing Log4Shell: Analyzing the Impact and Response to the Log4j Vulnerability,

    J. Doll, C. McCarthy, H. McDougall, and S. Bhunia, “Unravel- ing Log4Shell: Analyzing the Impact and Response to the Log4j Vulnerability,” arXiv preprint arXiv:2501.17760, 2025

    work page arXiv 2025

  22. [23]

    Darknet-Based Threat Intelligence: A Survey of Scanning Detection and Adversary Attribution Methods,

    K. S. Yadav, P. Baro, V. A. Kumar, M. T. H. Ansari, J. Meda, and H. Dutt, “Darknet-Based Threat Intelligence: A Survey of Scanning Detection and Adversary Attribution Methods,” Authorea Preprints, 2025

    work page 2025

  23. [24]

    IP2Location: IP Geolocation Database,

    “IP2Location: IP Geolocation Database,” https://www.ip2loc ation.com/, accessed: 2025-01-26

    work page 2025