{ "name": "Suspected KEYPLUG Infrastructure: TLS Certificates and GhostWolf Links", "slug": "suspected-keyplug-infrastructure-tls-certificates-and-ghostwolf-links", "description": "The article analyzes a cluster of network infrastructure associated with KEYPLUG, attributed to a suspected Chinese state-sponsored actor known as RedGolf or APT41. By examining historical TLS certificates and server configurations, researchers uncovered ongoing activity and links to recent operations targeting Italian organizations. The investigation revealed a unique certificate configuration using 'Support_1024' in the Organizational Unit field, along with a specific JA4X fingerprint. This allowed for the identification of active servers potentially linked to the threat actor. The analysis highlights the importance of tracking certificates and incorporating TLS fingerprinting methods for detecting suspicious infrastructure, even when threat actors attempt to blend in with legitimate traffic.", "published": "2025-01-24T12:30:10+00:00", "created_at": "2025-01-24T12:30:10+00:00", "modified_at": "2025-01-24T13:23:21+00:00", "created_at_opencti": "2025-01-24T12:30:10+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-01-24", "apt41", "ghostwolf", "keyplug", "wolfssl" ], "related_entities": { "observables": [ { "id": "", "name": "88.218.192.22" }, { "id": "", "name": "8.222.243.185" }, { "id": "", "name": "8.222.220.3" }, { "id": "", "name": "8.219.191.81" }, { "id": "", "name": "8.218.156.56" }, { "id": "", "name": "8.213.131.120" }, { "id": "", "name": "67.43.234.150" }, { "id": "", "name": "67.43.234.148" }, { "id": "", "name": "67.43.234.146" }, { "id": "", "name": "67.43.228.22" }, { "id": "", "name": "67.43.228.21" }, { "id": "", "name": "67.43.228.20" }, { "id": "", "name": "67.43.228.19" }, { "id": "", "name": "67.43.228.18" }, { "id": "", "name": "66.42.49.65" }, { "id": "", "name": "65.20.84.44" }, { "id": "", "name": "65.20.79.156" }, { "id": "", "name": "65.20.79.14" }, { "id": "", "name": "65.20.78.223" }, { "id": "", "name": "65.20.70.52" }, { "id": "", "name": "65.20.78.204" }, { "id": "", "name": "65.20.69.6" }, { "id": "", "name": "64.176.83.46" }, { "id": "", "name": "64.176.51.12" }, { "id": "", "name": "64.176.50.30" }, { "id": "", "name": "5.188.34.87" }, { "id": "", "name": "51.79.177.23" }, { "id": "", "name": "47.92.204.81" }, { "id": "", "name": "47.245.99.137" }, { "id": "", "name": "47.245.60.81" }, { "id": "", "name": "45.32.125.90" }, { "id": "", "name": "45.137.10.37" }, { "id": "", "name": "45.32.101.56" }, { "id": "", "name": "45.137.10.166" }, { "id": "", "name": "39.106.32.186" }, { "id": "", "name": "43.130.61.252" }, { "id": "", "name": "38.55.24.53" }, { "id": "", "name": "36.255.220.179" }, { "id": "", "name": "209.141.36.195" }, { "id": "", "name": "205.185.121.28" }, { "id": "", "name": "202.79.173.228" }, { "id": "", "name": "202.79.173.220" }, { "id": "", "name": "202.79.173.211" }, { "id": "", "name": "202.182.121.16" }, { "id": "", "name": "173.209.62.190" }, { "id": "", "name": "173.209.62.189" }, { "id": "", "name": "173.209.62.187" }, { "id": "", "name": "173.209.62.188" }, { "id": "", "name": "158.247.253.114" }, { "id": "", "name": "158.247.245.229" }, { "id": "", "name": "158.247.234.25" }, { "id": "", "name": "158.247.251.91" }, { "id": "", "name": "158.247.203.247" }, { "id": "", "name": "154.31.217.200" }, { "id": "", "name": "154.12.87.168" }, { "id": "", "name": "149.28.131.126" }, { "id": "", "name": "149.28.130.130" }, { "id": "", "name": "139.84.175.197" }, { "id": "", "name": "139.180.213.58" }, { "id": "", "name": "139.180.211.30" }, { "id": "", "name": "139.180.189.81" }, { "id": "", "name": "139.180.188.174" }, { "id": "", "name": "139.180.153.109" }, { "id": "", "name": "139.180.145.193" }, { "id": "", "name": "114.55.6.216" }, { "id": "", "name": "111.180.200.74" }, { "id": "", "name": "108.61.159.145" }, { "id": "", "name": "103.244.148.80" }, { "id": "", "name": "103.234.96.167" }, { "id": "", "name": "103.226.155.98" }, { "id": "", "name": "103.226.155.96" }, { "id": "", "name": "103.146.230.183" }, { "id": "", "name": "103.146.230.165" }, { "id": "", "name": "8.209.255.168" }, { "id": "", "name": "67.43.234.149" }, { "id": "", "name": "67.43.234.147" }, { "id": "", "name": "45.76.150.120" }, { "id": "", "name": "45.148.244.220" }, { "id": "", "name": "43.249.36.84" }, { "id": "", "name": "207.148.71.45" }, { "id": "", "name": "173.209.62.186" }, { "id": "", "name": "154.92.16.198" }, { "id": "", "name": "103.146.230.130" }, { "id": "", "name": "4c1baa3abb774b4c649c87417acaa4396eba40e5028b43fade4c685a405cc3bf" } ], "malware": [ { "id": "legacy:malware:eaed3e88e086729f", "name": "KEYPLUG.LINUX", "slug": "keypluglinux" }, { "id": "legacy:malware:876eb7878fad51a4", "name": "KEYPLUG - S1051", "slug": "keyplug-s1051" } ], "intrusion_sets": [ { "id": "1b10474e-c16d-4e14-9424-1771483ae094", "name": "RedGolf", "slug": "redgolf" } ], "attack_patterns": [ { "id": "a7cb57ea-5e24-437e-8dad-1d22c2d8a80b", "name": "T1590.001" }, { "id": "7ec3a60f-8eaa-4766-ab47-1a220616a29c", "name": "T1584.004" }, { "id": "79a0325f-93d7-4d3b-8d07-81240999f98f", "name": "T1590.005" }, { "id": "320df345-a473-4f17-9588-6cd021c14bd3", "name": "T1583.003" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" } ], "others": [ { "id": "", "name": "Italy" } ] }, "external_refs": [ "https://hunt.io/blog/keyplug-infrastructure-tls-certificates-ghostwolf-activity", "https://otx.alienvault.com/pulse/679395e237c6dacf9b19f7a8" ] }