What Do the IoCs Tell Us So Far?

A zero-day vulnerability found in Log4j, a logging library commonly used in Java, was detected on 9 December 2021. The vulnerability known as “CVE-2021-44228” or “Log4Shell” enables attackers to execute codes and access all data on an infected machine remotely. So far, we gathered 46 IP addresses from indicator of compromise (IoC) lists found on Pastebin and IBM. Using various domain and IP intelligence sources, we found essential details to help the security team investigate and mitigate this new vulnerability.

  • Almost all IP addresses have fewer than 10 resolving domains, indicating the possibility that they are dedicated.
  • 28% of the IP addresses are geolocated in Germany, and the top Internet service providers (ISPs) are Internet-Research and Digital Ocean.
  • 151 unique domains and subdomains resolve to the IP addresses, a few of which have been reported “malicious.”
  • 70 domains and subdomains containing the text string “log4j” were registered within the week of the vulnerability’s detection.

You may download the complete list of IoCs and connected domains related to this threat research on our website. We provide more details about the findings below.

Most IoCs Could Be Dedicated IP Addresses

Only one of 46 IP addresses (62[.]210[.].130[.].250) had more than 50 connected domains and is shared by 101 domains, which we did not include. The rest of the IP addresses on the IoC list only have between one and eight connected domains each.

We analyzed the attributes of these IP addresses and determined the most common geolocation and ISPs.

What IP Ranges Do the Malicious IP Addresses Belong To?

The IoCs belong to 33 IP ranges, according to data from IP Netblocks API. The top IP range 45[.]83[.]64[.]1—45[.]83[.]67[.]255 is responsible for nine of the IP addresses on the IoC list and is managed by Alpha Strike Labs GmbH.

What Are the Top Geolocations of the IoCs?

IP Geolocation API revealed that 13 or 28% of the IP addresses are geographically located in Germany while 11% are in Sweden. The U.S. and Russia were indicated as the geolocation of 9% of the IP addresses each, while Great Britain and the Netherlands both accounted for 7%. The rest of the IoCs were distributed across 10 other countries, most of which are in Asia and Europe.

What ISPs Manage the IoCs?

Several of the IP addresses belong to DigitalOcean, Inc. and another ISP called “Internet-Research” with the ASN name Alphastrike-Research, a security research organization.

Other ISPs that appeared multiple times on the list were Foreningen Digitala Fri-Och Rattigheter, Linode, LLC and Hostaway. The rest were divided among 17 other ISPs, the most interesting of which is the Massachusetts Institute of Technology (MIT). The presence of CIA Triad Security LLC is also noteworthy, as the ISP is known to operate IP addresses running Tor exit nodes, virtual private networks (VPNs), and other anonymizing services.

Analysis of Connected Domains

One way to see the digital footprint of attackers is by looking at the domains resolving to the IP addresses. Reverse IP API helped us do that for all the Log4jShell IoCs, leading us to 151 domain and subdomain connections. String analysis revealed the top 10 top-level domains (TLDs), led by .org.

Common text strings used in the domains and subdomains include “disneyplus,” “plesk,” “log4j,” “tor-exit,” “leakix,” and “probe001.”

Some connected domains were deemed unsafe, having been flagged as malicious by a malware check. These domains are:

  • disneyplus-com[.]org
  • blubokeprojet[.]com
  • abrakadaprout[.]org
  • 4fed4[.]org
Log4j Representation in the DNS

Since “log4j” is one of the most-used text strings among the connected domains, we wanted to see the volume of domains and subdomains added since the vulnerability was detected. We found some activities, with 38 domains and 32 subdomains registered within one week since it was detected on 9 December 2021.


Log4jShell is still a very new vulnerability, and more IoCs may emerge in the coming weeks. Analyzing IoC attributes and connections can help the security community investigate exploits deeper.

If you’re a cybersecurity researcher or investigator interested in the IP and domain intelligence related to the Log4jShell vulnerability, feel free to contact us.



Menu