Community
BloomsLog4JLog4Shell

A Domain Bloom in Progress: log4j Domains

12/15/2021
Corin Imai

Indicator List: log4j domains as of 12/15/21

What’s interesting here from the perspective of Internet infrastructure is that the domain registrations that are occurring, where the domain name contains the string “log4j,” seem to be following the pattern of Domain Blooms. A Domain Bloom is a pattern where the number of domains containing a specific n-gram (or, in more practical terms, a word or word fragment) rises above a previous baseline and remains higher for some period of time before tailing off to either the original baseline (in the case of relatively common words) or a new baseline (in the case of words basically new to the lexicon, such as “COVID”).

For defenders, the low numbers of log4j-themed domains thus far means that you’re not too likely, statistically speaking, to see traffic from your environment to one of these domains, and if you do, there’s no guarantee that you’ll hit a bad one.

Indicator List: log4j domains as of 12/15/21:

alanlog4j[.]xyz
ast-log4j-shell[.]es
canilog4j[.]com
dlog4j[.]cn
icanhazlog4j[.]com
ihatelog4j[.]com
lg4j[.]com
log4[.]dev
log4[.]org
log4j-check[.]com
log4j-fix[.]de
log4j-help[.]com
log4j-poc[.]com
log4j-test[.]xyz
log4j-testing[.]com
log4j[.]cc
log4j[.]co
log4j[.]co.kr
log4j[.]dev
log4j[.]fi
log4j[.]fun
log4j[.]help
log4j[.]io
log4j[.]is
log4j[.]it
log4j[.]link
log4j[.]live
log4j[.]ninja
log4j[.]online
log4j[.]pro
log4j[.]site
log4j[.]tk
log4j[.]top
log4j[.]xyz
log4j1[.]com
log4j2[.]cn
log4j2[.]com
log4j2[.]icu
log4j2[.]net
log4j2[.]store
log4jail[.]com
log4java[.]com
log4jay[.]com
log4jbug[.]com
log4jbugs[.]com
log4jcheck[.]com
log4jesus[.]com
log4jexploit[.]com
log4jfix[.]cf
log4jfix[.]com
log4jgear[.]com
log4jhack[.]com
log4jhelp[.]com
log4jmemes[.]com
log4jnerds[.]com
log4jrce[.]org
log4jscrape[.]com
log4jshell[.]com
log4jshirts[.]com
log4jsurvivor[.]com
log4jtest[.]co
log4jtest[.]tk
log4jtest[.]xyz
log4jvuln[.]com
log4jvulnerability[.]com
log4rj[.]com
lol4j[.]com
patchlog4j2live[.]xyz
testlog4j[.]com
vdelog4jcheck[.]click
zblog4jfinal[.]com

Related Content

3rd Party AppCyberhavenGoogle Chrom ExtensionGoogle Chrome Web StorePhishingTechnology Sector Campaign
Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign
Download Now
Domain HijackingMalwarePhishingSpamSubdomain Takeover
Industrial Spam Network
Download Now
Axigen ThunderbirdBlackBerryC2CloudflareCloudPhishCyber EspionagePakistan NavySloppyLemming
BlackBerry, SloppyLemming, and Guess Who...Cloudflare
Download Now