KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to a suspected Chinese state-backed cyber actor referred to as “RedGolf.”

The group, also known as APT41, BARIUM, or Earth Baku, gained attention following a report by Recorded Future’s Insikt Group in March 2023.

Their investigation revealed significant connections to more recent campaigns, including infrastructure associated with mid-2024 attacks on Italian organizations.

Central to the analysis was the use of historical Transport Layer Security (TLS) certificates, which provided unique identifiers and operational patterns tied to the ongoing activity.

TLS Certificate Insights

The examination of GhostWolf’s infrastructure began with a detailed analysis of 39 IP addresses linked to the threat actor as per the Insikt Group’s IoC dataset.

A critical discovery involved certificates from the wolfSSL library an open-source SSL/TLS library widely used in embedded systems and secure communications.

One key anomaly identified was the modification of the Organizational Unit (OU) field in these certificates.

While the legitimate example certificates used “Consulting_1024,” the malicious certificates altered this to “Support_1024,” effectively creating a distinct TLS fingerprint.

Further, researchers utilized the Hunt SSL History tool to uncover 122 IP addresses associated with this certificate’s SHA-256 hash.

A deeper refinement using JA4X fingerprinting, an advanced extension of the JA3 TLS fingerprinting method, narrowed results to 41 unique IPs sharing a similar configuration.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Leveraging TLS Fingerprints and Certificate Analysis

By combining multiple unique indicators, including the anomalous OU field, certificate SHA-256 hash, and JA4X fingerprint, researchers crafted advanced search queries to identify still-active infrastructure tied to GhostWolf.

Using tools such as Hunt’s Advanced Search, they pinpointed six active IP addresses exhibiting consistent characteristics.

These servers demonstrated coordinated behavior, operating primarily on HTTPS (port 443) or alternate ports such as 8443.

Key observations included the reuse of hosting providers across geographies (e.g., The Constant Company, LLC, and Nebula Global LLC).

Anomalies such as overlapping IP ranges with previously identified threats, including Yoroi’s report on APT41 intrusions, added weight to suspicions of continuity in operations.

Investigators also identified a server hosting a suspected variant of the GhostWolf certificate.

This server’s certificate resembled legitimate wolfSSL examples but exhibited timestamps closely matching the Support_1024 infrastructure.

Although conclusive attribution to RedGolf remains elusive, its geographic location and hosting provider align with previously reported Command-and-Control operations.

This analysis underscores the persistence of threat actors like RedGolf/APT41.

Their continued use of modified certificates, consistent hosting providers, and closely assigned IP ranges indicates a deliberate effort to maintain infrastructure longevity while evading detection.

The findings highlight the critical role of TLS certificate analysis and advanced fingerprinting techniques in detecting and tracking sophisticated threat actors.

The reuse of subtle certificate modifications, coupled with consistent infrastructure setups, suggests that defenders must remain vigilant.

Regularly analyze TLS certificates for unusual fields, such as modified Organizational Units (e.g., Support_1024) or unexpected issue dates.

Leverage enhanced fingerprinting tools, like JA4+, to detect and isolate malicious server configurations from benign traffic.

By adopting these measures, defenders can better anticipate adversary activity, mitigate risks, and enhance overall network security posture.

The investigation into GhostWolf’s infrastructure demonstrates the importance of persistent monitoring and historical data analysis in combating determined state-backed cyber threats.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar