Following the disclosure of the Log4Shell vulnerability, its long-term, cross-regional exploitation dynamics have lacked systematic observation. This study leverages an active network telescope deployed in India to conduct a longitudinal measurement of Log4Shell-related traffic from December 2021 to October 2025, offering the first South Asian perspective on post-outbreak exploitation trends. Our analysis reveals persistent attack activity spanning multiple years, increasing centralization of scanning and callback infrastructure, and growing use of payload obfuscation. Through traffic capture, payload decoding, infrastructure clustering, and cross-regional comparison, we further identify significant shifts in protocol and port usage. These findings underscore the critical importance of sustained, multi-regional monitoring for understanding the full lifecycle of critical software vulnerabilities.

The disclosure of the Log4Shell vulnerability in December 2021 led to an unprecedented wave of global scanning and exploitation activity. A recent study provided important initial insights, but was largely limited in duration and geography, focusing primarily on European and U.S. network telescope deployments and covering the immediate aftermath of disclosure. As a result, the longer-term evolution of exploitation behavior and its regional characteristics has remained insufficiently understood. In this paper, we present a longitudinal measurement study of Log4Shell-related traffic observed between December 2021 and October 2025 by an active network telescope deployed in India. This vantage point enables examination of sustained exploitation dynamics beyond the initial outbreak phase, including changes in scanning breadth, infrastructure reuse, payload construction, and destination targeting. Our analysis reveals that Log4Shell exploitation persists for several years after disclosure, with activity gradually concentrating around a smaller set of recurring scanner and callback infrastructures, accompanied by an increase in payload obfuscation and shifts in protocol and port usage. A comparative analysis and observations with the benchmark study validate both correlated temporal trends and systematic differences attributable to vantage point placement and coverage. Subsequently, these results demonstrate that Log4Shell remains active well beyond its initial disclosure period, underscoring the value of long-term, geographically diverse measurement for understanding the full lifecycle of critical software vulnerabilities.