Skip to content


Repository files navigation



Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell exploit targeting CVE-2021-44228 in Log4j. (Blog | Twitter | LinkedIn)

Analyst Comments:

  • 2021-12-13
    • IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
    • These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
    • Curated Intel members at various organisations recommend to FOCUS ON POST-EXPLOITATION ACTIVITY by threats leveraging Log4Shell (ex. threat actors, botnets)
    • IOCs include JNDI requests (LDAP, but also DNS and RMI), cryptominers, DDoS bots, as well as Meterpreter or Cobalt Strike
    • Critical IOCs to monitor also include attacks using DNS-based exfiltration of environment variables (e.g. keys or tokens), a Curated Intel member shared an example
  • 2021-12-14
  • 2021-12-15
  • 2021-12-16
  • 2021-12-17
  • 2021-12-20
    • ETAC has added MITRE ATT&CK TTPs of Threat Actors leveraging Log4Shell
    • Curated Intel members parsed ALIENVAULT OTX MENTIONS to be MISP COMPATIBLE with the help of the KPMG-Egyde CTI Team
  • 2021-12-21
  • 2021-12-22
    • Curated Intel members added very basic FALSE-POSITIVE FILTERING for threat hunting feed outputs, using selected MISP warning lists, primarily to remove false-positives of large DNS resolvers (among others)
  • 2021-12-29
    • Added Securonix Autonomous Threat Sweep vetted IoC's and TTP's
  • 2022-01-10
    • Updated MSTIC (4) report now tracks a China-based double-extortion ransomware operator, DEV-0401, who deployed NightSky ransomware via VMWare Horizon initial access
  • 2022-01-11
    • SentinelOne shared their analysis of cybercrime actors leveraging Log4j one month since disclosure, with new info on the Emotet botnet using Log4j for payload hosting
  • 2022-03-03
    • Threat hunting feeds updated by KPMG-Egyde CTI

Indicators of Compromise (IOCs)

Source URL
GreyNoise (1)
Malwar3Ninja's GitHub by @0xDanielLopez
Azure Sentinel
Malware Bazaar
AbuseIPDB Google/Bing Dorks "log4j", "log4shell", "jndi"
Andrew Grealy, CTCI
Bad Packets
Costin Raiu, Kaspersky
SANS Internet Storm Center
Nozomi Networks
Miguel Jiménez
CERT Italy
Juniper Networks (1)

Threat Reports

Source Threat URL
@GelosSnake Kinsing
@an0n_r0 Kinsing
@zom3y3 Muhstik
360 NetLab (1) Mirai, Muhstik
MSTIC (1) Cobalt Strike
Cronup Kinsing, Katana-Mirai, Tsunami-Muhstik
Cisco Talos Kinsing, Mirai
Profero Kinsing Kinsing, Mirai, Tsunami
IronNet Mirai, Cobalt Strike
@CuratedIntel TellYouThePass Ransomware
@Laughing_Mantis Log4j Worm
Lacework Kinsing, Mirai
360 NetLab (2) Muhstik, Mirai, BillGates (Elknot), XMRig, m8220, SitesLoader, Meterpreter
Trend Micro Cobalt Strike, Kirabash, Swrort, Kinsing, Mirai
BitDefender Khonsari Ransomware, Orcus RAT, XMRig, Muhstik
MSTIC (2) PHOSPHORUS, HAFNIUM, Initial Access Brokers
Cado Security (1) Mirai, Muhstik, Kinsing
Cado Security (2) Khonsari Ransomware
Valtix Kinsing, Zgrab
Fastly Gafgyt
Check Point StealthLoader
Juniper Networks (2) XMRig
AdvIntel Conti
@JakubKroustek NanoCore RAT
MSTIC (3) Meterpreter, Bladabindi (njRAT), HabitsRAT, Webtoos
Cryptolaemus Dridex, Meterpreter
CyberSoldiers Dridex
Cluster25 Dridex
FortiGuard Mirai-based "Worm"
CyStack Kworker backdoor
MSTIC (4) DEV-0401
DarkFeed AvosLocker
Centre for Cyber security Belgium Farfli (Gh0st RAT), CobaltStrike

Payload Examples

Source URL
GreyNoise (2)
Malware-Traffic-Analysis (PCAP)

Threat Profiling

Threat Type Profile: Malpedia Profile: MITRE ATT&CK Activity
Dridex Banking Trojan Dridex (Malware Family) ( Didex, Software S0384 Command and Control, Tactic TA0011
Cobalt Strike Attack tool usage Cobalt Strike (Malware Family) ( Cobalt Strike, Software S0154 Command and Control, Tactic TA0011
Meterpreter Attack tool usage Meterpreter (Malware Family) ( N/A Command and Control, Tactic TA0011
Orcus RAT Attack tool usage Orcus RAT (Malware Family) ( N/A Remote Access Software, Technique T1219
NanoCore RAT Attack tool usage NanoCore RAT (Malware Family) ( NanoCore, Software S0336 Remote Access Software, Technique T1219
njRAT / Bladabindi Attack tool usage njRAT (Malware Family) ( njRAT, Software S0385 Remote Access Software, Technique T1219
HabitsRAT Attack tool usage HabitsRAT (Malware Family) ( N/A Remote Access Software, Technique T1219
Gh0st RAT Attack tool usage Gh0st RAT (Malware Family) ( Gh0st RAT, Software S0032 Remote Access Software, Technique T1219
BillGates / Elknot Botnet expansion (DDoS) BillGates (Malware Family) ( N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Bashlite (aka Gafgyt) Botnet expansion (DDoS) Bashlite (Malware Family) ( N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Mirai (AKA Katana) Botnet expansion (DDoS, miner) Mirai (Malware Family) ( N/A Acquire Infrastructure: Botnet, Sub-technique T1583.005
Muhstik (AKA Tsunami) Botnet expansion (DDoS, miner) Tsunami (Malware Family) ( N/A Resource Hijacking, Technique T1496
Kinsing Botnet expansion (miner) Kinsing (Malware Family) ( Kinsing, Software S0599 Resource Hijacking, Technique T1496
m8220 Botnet expansion (miner) N/A N/A Resource Hijacking, Technique T1496
Swrort Downloader usage (stager) Swrort Stager (Malware Family) ( N/A Ingress Tool Transfer, Technique T1105
SitesLoader Downloader usage (stager) N/A N/A Ingress Tool Transfer, Technique T1105
Kirabash Infostealer usage N/A N/A OS Credential Dumping: /etc/passwd and /etc/shadow, Sub-technique T1003.008
XMRig Mining tool usage N/A N/A Resource Hijacking, Technique T1496
Zgrab Network scanner tool usage N/A N/A Network Service Scanning, Technique T1046
TellYouThePass Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Khonsari Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
Conti Ransomware Ransomware usage Conti (Malware Family) ( Conti, Software S0575 Data Encrypted for Impact, Technique T1486
NightSky Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486
AvosLocker Ransomware Ransomware usage N/A N/A Data Encrypted for Impact, Technique T1486

Threat Groups

Grouping Actor Mentioned Alias Other Alias EternalLiberty Threat Report Note
State actor China HAFNIUM N/A MSTIC (2) Attacking infrastructure to extend their typical targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with testing activity to fingerprint systems.
State actor Iran PHOSPHORUS APT35, TEMP.Beanie, TA 453, NewsBeef, CharmingKitten, G0003, CobaltIllusion, TG-2889, Timberworm, C-Major, Group 41, Tarh Andishan, Magic Hound, Newscaster MSTIC (2) Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit.
Organized Cybercrime Russia Wizard Spider Trickbot Gang, FIN12, GOLD BLACKBURN, Grim Spider AdvIntel Wizard Spider is the developer of the Conti Ransomware-as-a-Service (RaaS) operation which has a high number of affiliates, and a Conti affiliate has leveraged Log4Shell in Log4j2 in the wild
Organized Cybercrime Russia EvilCorp Indrik Spider, GOLD DRAKE Cryptolaemus EvilCorp are the developers of the Dridex Trojan, which began life as a banking malware but has since shifted to support the delivery of ransomware, which has included BitPaymer, DoppelPaymer, Grief, and WastedLocker, among others. Dridex is now being dropped following the exploitation of vulnerable Log4j instances
State actor China Aquatic Panda N/A CrowdStrike AQUATIC PANDA is a China-based targeted intrusion adversary with a dual mission of intelligence collection and industrial espionage. It has likely operated since at least May 2020. AQUATIC PANDA operations have primarily focused on entities in the telecommunications, technology and government sectors. AQUATIC PANDA relies heavily on Cobalt Strike, and its toolset includes the unique Cobalt Strike downloader tracked as FishMaster. AQUATIC PANDA has also been observed delivering njRAT payloads to targets.
To be determined China DEV-0401 N/A MSTIC (4) Attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. An investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware. These attacks are performed by a China-based ransomware operator that MSTIC is tracking as DEV-0401. DEV-0401 has previously deployed multiple ransomware families including LockFile, AtomSilo, and Rook, and has similarly exploited Internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).
Organized Cybercrime Russia Mummy Spider TA542, MealyBug, GoldCrestwood SentinelOne Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network.
Organized Cybercrime Russia Prophet Spider UNC961 BlackBerry The Initial Access Broker (IAB) group Prophet Spider has been exploiting the Log4j vulnerability in the Apache Tomcat component of VMware Horizon