Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Spies Exploit Log4Shell to Hack Major Academic Institution

China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.

China-linked cyberespionage group Aquatic Panda was recently observed exploiting the Log4Shell vulnerability to compromise a large academic institution, CrowdStrike’s Falcon OverWatch team reports.

Tracked as CVE 2021-44228 and also referred to as Log4Shell and LogJam, the security hole affects the Apache Log4j Java logging framework and has been exploited in targeted attacks since early December.

As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access, and then performing various post-exploitation operations, including reconnaissance and credential harvesting.

In their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The exploit used in this attack was initially published on GitHub on December 13.

[ READ: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw ]

The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance, under the Apache Tomcat service (other threat actors too have been observed using public DNS logging services to identify vulnerable servers).

Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure.

The attackers performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution.

After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell.

Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them.

The target organization was alerted to the suspicious activity immediately after detection and was able to quickly implement their incident response protocol, to patch the vulnerable software and prevent further malicious activity.

Active since at least May 2020 and engaging in intelligence collection and industrial espionage, Aquatic Panda has been observed targeting organizations in the government, telecommunications, and technology sectors. The group’s toolset includes Cobalt Strike, the FishMaster downloader, and njRAT, among others.

Related: NVIDIA, HPE Products Affected by Log4j Vulnerabilities

Related: Chinese Government Punishes Alibaba for Not Telling It First About Log4Shell Flaw: Report

Related: Japan, Vietnam Look to Cyber Defense Against China

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.