KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to a suspected Chinese state-backed cyber actor referred to as “RedGolf.”

The group, also known as APT41, BARIUM, or Earth Baku, gained attention following a report by Recorded Future’s Insikt Group in March 2023.

Their investigation revealed significant connections to more recent campaigns, including infrastructure associated with mid-2024 attacks on Italian organizations.

Central to the analysis was the use of historical Transport Layer Security (TLS) certificates, which provided unique identifiers and operational patterns tied to the ongoing activity.

TLS Certificate Insights

The examination of GhostWolf’s infrastructure began with a detailed analysis of 39 IP addresses linked to the threat actor as per the Insikt Group’s IoC dataset.

A critical discovery involved certificates from the wolfSSL library an open-source SSL/TLS library widely used in embedded systems and secure communications.