Threat actors, including suspected state-sponsored groups, continued exploiting Log4Shell (CVE-2021-44228) in unpatched public-facing VMware Horizon and Unified Access Gateway systems, according to a joint CISA and U.S. Coast Guard Cyber Command advisory. In confirmed incidents, attackers used the flaw for initial access, deployed malware disguised as SysInternals tools, established command-and-control, moved laterally over RDP, and in at least one case reached a disaster recovery network and exfiltrated sensitive data. The advisory highlighted artifacts including hmsvc.exe, SvcEdge.exe, odbccads.exe, praiser.exe, fontdrvhosts.exe, winds.exe, error_401.jsp, and newdev.dll, and urged organizations that delayed patching to assume compromise, isolate affected hosts, hunt for indicators, and upgrade to fixed VMware builds.
The vulnerability’s broad reach and difficult-to-observe execution paths also drove a wave of defensive tooling and monitoring guidance across the security community. Researchers released a Burp Suite Log4Shell Scanner that uses out-of-band DNS and LDAP-based callbacks to uncover hidden or asynchronous vulnerable services, while others published Suricata detection coverage, regex-based IOC matching for log review, and updated enterprise advisories from vendors including Red Hat, Sophos, Mandiant, and SANS. Reports also indicated exploitation activity had begun early, with botnets attempting to weaponize the flaw soon after disclosure, reinforcing that Log4Shell remained both a mass-scanning target and a high-impact intrusion vector long after patches became available.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
10 events from the most recent confirmed update back to the earliest known activity.
Mandiant published guidance on initial Log4Shell exploitation and mitigation recommendations, summarizing defensive considerations for organizations still managing the risk.
SC Media published a feature examining the numbers and impact one year after Log4Shell, marking a retrospective milestone in coverage of the vulnerability.
The log4shell-rex GitHub project was published to provide PCRE regex matching for Log4Shell indicators of compromise in logs.
Neo23x0 published Fenrir version 0.9.0 as a Log4Shell-focused release, adding tooling relevant to detection or response for the vulnerability.
A GitHub Gist published Suricata coverage for Log4Shell exploitation attempts, providing defenders with detection content for CVE-2021-44228 activity.
Silent Signal announced and released an open-source Burp Suite extension called Log4Shell Scanner to help defenders identify hidden Log4Shell-affected hosts using out-of-band detection.
SANS Internet Storm Center published follow-up content describing what it was seeing from Log4Shell activity and how defenders could respond and access related data.
Red Hat published security bulletin RHSB-2021-009 covering the Log4Shell remote code execution vulnerability in log4j and related response guidance.
ZDNet reported that remote code execution activity targeting Log4Shell began on 2021-12-01, with botnets starting to use the vulnerability before its broad public disclosure.
CISA and U.S. Coast Guard Cyber Command issued a joint advisory stating that multiple threat actors, including suspected state-sponsored actors, continued exploiting unpatched VMware Horizon and Unified Access Gateway systems after fixes became available in December 2021. The advisory also documented two confirmed incident-response cases involving malware deployment, lateral movement, and in one case data exfiltration.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
13 references tracked. Mallory keeps watching after this page renders.
sophos.com
Open sourcezeropath.com
Open sourcemandiant.com
Open sourcescworld.com
Open sourceisc.sans.edu
Open sourceaccess.redhat.com
Open sourcezdnet.com
Open sourcecisa.gov
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.