“Log4Shell” Java Flaw Being Used To Deliver Malware & Crypto-Miners

Last Friday a super critical Java flaw called “Log4Shell” came to light and sent sysadmins scrambling to patch all the things. Websites around the world have gone down to patch this flaw for example. And now we know why. According to Bleeping Computer, threat actors have been using the vulnerability to deliver crypto-miners, botnet, and penetration tools that could be used to deploy ransomware on affected systems:

As soon as the vulnerability was released, we saw threat actors exploiting the Log4Shell vulnerability to execute shell scripts that download and install various cryptominers, as shown below.

The threat actors behind the Kinsing backdoor and cryptomining botnet are heavily abusing the Log4j vulnerability with Base64 encoded payloads that have the vulnerable server download and execute shell scripts.


Netlab 360 reports that the threat actors exploit the vulnerability to install the Mirai and Muhstik malware on vulnerable devices.

These malware families recruit IoT devices and servers into their botnets and use them to deploy cryptominers and perform large-scale DDoS attacks.


The Microsoft Threat Intelligence Center reported that the Log4j vulnerabilities are also being exploited to drop Cobalt Strike beacons.

Cobalt Strike is a legitimate penetration testing toolkit where red teamers deploy agents, or beacons, on “compromised” devices to perform remote network surveillance or execute further commands.

However, threat actors commonly use cracked versions of Cobalt Strike as part of network breaches and during ransomware attacks. 

And finally:

In addition to using the Log4Shell exploits to install malware, threat actors and security researchers are using the exploit to scan for vulnerable servers and exfiltrate information from them.

So if you haven’t patched your infrastructure, you should get to it as it clearly is being exploited.

2 Responses to ““Log4Shell” Java Flaw Being Used To Deliver Malware & Crypto-Miners”

  1. […] the planet scrambling to patch all the things last week before they were exploited by bad actors. Which is something that didn’t take long to happen. It’s now become a free for all as bad actors are really going to town in terms of exploiting […]

  2. […] year, I wrote about Log4Shell being actively exploited by threat actors to deliver malware and crypto miners. And […]

Leave a Reply

%d bloggers like this: