The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.

翻译：2021年12月Log4Shell漏洞的披露引发了全球范围内前所未有的扫描与漏洞利用活动浪潮。近期一项研究提供了重要的初步见解，但其在时间跨度和地理范围上存在较大局限——主要聚焦于欧美地区的网络望远镜部署，且仅涵盖漏洞披露后的即时影响阶段。因此，关于漏洞利用行为的长期演变规律及其区域特征仍缺乏充分认知。本文通过部署于印度的主动网络望远镜，对2021年12月至2025年10月期间观测到的Log4Shell相关流量开展纵向测量研究。该观测视角使我们能够突破初期爆发阶段的限制，系统考察持续性的漏洞利用动态，包括扫描广度变化、基础设施复用、载荷构建方式及目标选择策略的演变。分析表明：Log4Shell漏洞利用在披露后持续活跃数年，攻击活动逐渐向少量反复出现的扫描器与回调基础设施集中，同时伴随载荷混淆技术的增强以及协议与端口使用模式的转变。通过与基准研究的对比分析与观测验证，我们既发现了具有关联性的时序趋势，也识别出因观测点布局与覆盖范围差异导致的系统性区别。这些结果证实Log4Shell在初始披露期后仍长期保持活跃，凸显了长期、多地域的测量研究对于理解关键软件漏洞完整生命周期的重要价值。