A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.
The Log4Shell vulnerability affecting the Apache Log4j logging utility came to light in December 2021. The flaw, identified as CVE-2021-44228, can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.
Log4Shell impacts the products of several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.
Microsoft said the threat actor it tracks as Mercury has been known to exploit Log4j vulnerabilities, but it has done so against vulnerable VMware software, and this seems to be the first time they have targeted SysAid apps. The tech giant assesses with ‘moderate confidence’ that the hackers have exploited SysAid server instances.
SecurityWeek is not aware of any other attacks in which threat actors have exploited Log4Shell against SysAid applications.
SysAid, which provides IT service management solutions, addressed the Log4Shell vulnerability shortly after its existence came to light, but it seems some instances remain unpatched.
Mercury is also known as Seedworm, Static Kitten and MuddyWater. The group was officially linked earlier this year by the US government to Iran’s Ministry of Intelligence and Security.
In the attacks observed by Microsoft in late July, Mercury targeted organizations located in Israel. It’s not uncommon for Iranian groups to target Israel.
“The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country,” Microsoft said.
After gaining access to the targeted system, the hackers established persistence, dumped credentials, and moved laterally within the organization using various tools. The threat actor conducted hands-on-keyboard activities.
“Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands,” Microsoft explained. “Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.”
Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products
Related: Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
