Thursday, May 8, 2025
HomeComputer SecurityChinese Hackers Using Log4Shell Exploit Tools to Perform Post-Exploitation Attacks

Chinese Hackers Using Log4Shell Exploit Tools to Perform Post-Exploitation Attacks

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity firm, CrowdStrike has warned that Chinese hackers are using the Log4Shell exploit tools to perform various post-exploitation operations. 

The hacker group behind these malicious operations, Aquatic Panda was seen using the Log4Shell vulnerability, with the help of a large academic institution.

In early December the Log4Shell and LogJam vulnerability, which were tracked as CVE-2021-44228 was discovered in the popular Log4j logging library.

- Advertisement - Google News

Aquatic Panda

Aquatic Panda is a Chinese hacking group that is operating since May 2020 and it has two primary goals:-

  • Intelligence collection.
  • Industrial espionage.

This hacking group mainly targets all its users from the following sectors:-

  • Telecommunications sectors
  • Technology sectors
  • Government sectors

Apart from this, the AQUATIC PANDA counts on the following tools for the execution of all its operations:-

  • Cobalt Strike
  • FishMaster (Unique Cobalt Strike downloader.)
  • njRAT

Technical Analysis

To gain initial access to the target system, the Aquatic Panda uses a modified version of the exploit for a bug in Log4j, and then it performs several post-exploitation activities like:- 

  • Exploration
  • Credential collection

The hackers targeted VMware Horizon that used the vulnerable Log4j library to compromise a large academic institution, and on December 13, 2021, the exploit used in this attack was published on GitHub.

Using the DNS lookups for a subdomain running on VMware Horizon as part of Apache Tomcat, the threat actors performed a connection check.

On the Windows host where the Apache Tomcat service was running, the team ran a series of Linux commands, and not only that even they also performed the same on those aimed at deploying malicious tools that are hosted on remote infrastructure.

Here at this point to better understand privilege levels and learn more about the domain, the threat actors have also conducted surveillance efforts. While they also tried to interrupt a response solution and third-party endpoint threat detection solution.

The malware and three VBS files were extracted by the hackers through PowerShell commands, and to accomplish this, additional scripts were deployed by the hackers. 

At this stage, by performing memory dumps and preparing them for theft, the threat actors of Aquatic Panda attempted several trials to collect credentials.

Moreover, the attacked academic institution was timely warned of suspicious activities to be able to quickly use the incident response protocol, fixing vulnerable software and deterring further development of the malicious activity.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Researchers Turn the Tables: Scamming the Scammers in Telegram’s PigButchering Scheme

Cybersecurity specialists have devised an innovative approach to combat an emerging cybercrime called "PigButchering"...

New Spam Campaign Leverages Remote Monitoring Tools to Exploit Organizations

A sophisticated spam campaign targeting Portuguese-speaking users in Brazil has been uncovered by Cisco...

New Attack Exploits X/Twitter Ad URL Feature to Deceive Users

Silent Push Threat Analysts have recently exposed a sophisticated financial scam leveraging a vulnerability...

Guess Which Browser Tops the List for Data Collection!

Google Chrome has emerged as the undisputed champion of data collection among 10 popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researcher Exploits Regex Filter Flaw ...

Target application included a username field restricted by a frontend regex filter (/^{1,20}$/), designed...

North Korean Hacker Tries to Infiltrate Kraken Through Job Application

Leading cryptocurrency exchange Kraken has disclosed that it recently thwarted an infiltration attempt by...

Gain Legends International Suffers Security Breach – Customers Data Stolen

Gain Legends International, a prominent name in sports, entertainment, and venue management, has confirmed...