Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links
Essential information
- Published
- 24/01/2025 13:30
- Modified
- 24/01/2025 14:23
- Tags
- 2025-01-24 apt41 ghostwolf keyplug wolfssl
- Related entities
- 84 observables, 1 intrusion sets (apt), 6 techniques (mitre), 2 malware, 1 others
Description
The article analyzes a cluster of network infrastructure associated with KEYPLUG, attributed to a suspected Chinese state-sponsored actor known as RedGolf or APT41. By examining historical TLS certificates and server configurations, researchers uncovered ongoing activity and links to recent operations targeting Italian organizations. The investigation revealed a unique certificate configuration using 'Support_1024' in the Organizational Unit field, along with a specific JA4X fingerprint. This allowed for the identification of active servers potentially linked to the threat actor. The analysis highlights the importance of tracking certificates and incorporating TLS fingerprinting methods for detecting suspicious infrastructure, even when threat actors attempt to blend in with legitimate traffic.