The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by a reactive network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.

翻译：2021年12月Log4Shell漏洞的披露引发了全球范围内前所未有的扫描和利用活动浪潮。近期一项研究提供了重要的初步见解，但在地域和时间范围上存在较大局限性——其主要聚焦于欧美网络望远镜部署，并覆盖漏洞披露后的短时期。因此，对利用行为的长期演化特征及其地域特性仍缺乏深入理解。本文基于在印度部署的反应式网络望远镜，对2021年12月至2025年10月期间观测到的Log4Shell相关流量开展纵向测量研究。该观测视角使我们能够审视漏洞爆发初期之后持续存在的利用动态，包括扫描广度变化、基础设施重用、载荷构造及目标选择等维度。分析表明：Log4Shell利用活动在漏洞披露后持续数年，活跃度逐渐集中在较小规模的重复扫描器与回调基础设施集群，同时伴随载荷混淆程度增强以及协议/端口使用模式迁移。通过与基准研究的对比分析和观测结果，我们验证了相关时间演化趋势的一致性，以及因观测点位置与覆盖范围差异导致的系统性区别。这些结果证明Log4Shell在漏洞披露期过后仍长期保持活跃，凸显了通过长周期、多地域测量深入理解关键软件漏洞完整生命周期的重大价值。