{
	"id": "e2f88a7d-8750-4c95-b767-73966d334c2f",
	"created_at": "2026-04-06T00:07:05.355591Z",
	"updated_at": "2026-04-10T13:12:43.103572Z",
	"deleted_at": null,
	"sha1_hash": "103db2e3d848ef230432f42c9cb37fea746cdde8",
	"title": "DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3950688,
	"plain_text": "DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign\r\nInfrastructure\r\nPublished: 2024-11-21 · Archived: 2026-04-05 15:12:16 UTC\r\nTABLE OF CONTENTS\r\nDarkPeony?Digital Footprints: Certificate AnalysisAdditional LinksTime For Something Different?ConclusionNetwork\r\nObservables\r\nIn a recent blog post, we discussed SSL/TLS certificates tied to suspected PlugX command and control (C2) nodes, which\r\nfeatured recurring use of 'AES' in the organizational unit field. Building on this, we've also identified two additional\r\nsuspicious certificates on the same infrastructure linked to domains likely used to download or communicate with malware.\r\nThese findings, alongside domain registration patterns, align closely with the infrastructure previously reported by NTT as\r\nbeing associated with DarkPeony. The group's repeated use of similar certificates and servers indicates a sustained\r\noperational tempo, enabling us to track this cluster of activity consistently over time.\r\nThis post will explore these network observables and provide context to assist defenders in proactively identifying future\r\ninfrastructure before it becomes operationalized.\r\nDarkPeony?\r\nDarkPeony is a suspected Chinese cyber-espionage group known for targeting government and military organizations. As\r\nhighlighted in NTT's report, the group was observed deploying PlugX malware in its campaigns, targeting entities across\r\nMyanmar, the Philippines, Mongolia, and Serbia.\r\nThe group primarily leverages infrastructure providers in Hong Kong, with CTG Server Ltd. and ChangLian Network\r\nTechnology Co. being the most frequently observed networks. NameCheap and NameSilo are used to register domains,\r\nwhile CloudFlare nameservers are employed, likely in an attempt to conceal activity from researchers.\r\nThe domain buyinginfo[.]org was listed as one of the PlugX C2 servers in the report and became our starting point for\r\nlooking for similar DarkPeony infrastructure. We identified the IP address linked to the above domain as\r\n103.107.105[.]81 . As shown in Figure 1, the server uses three certificates of importance to our research: (2) CloudFlare\r\nand (1) TrustAsia Technologies, Inc.\r\nFigure 1: SSL History overview of 103.107.105.81 (Hunt).\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 1 of 8\n\nChecking out the details for the certificate first seen on 2024-05-24, we see a DNS name of buyinginfo[.]org and the\r\nwildcard subdomain, *.buyinginfo[.]org.\r\nFigure 2: Certificate details showing the domain name from the NTT report (Hunt).\r\nOur blog post about PlugX from last month identified a cluster of five servers suspected to be linked with PlugX activity.\r\nEach of these servers utilized a certificate featuring the letters \"AES\" in the Organizational Unit field, suggesting a potential\r\nmarker for the infrastructure used by this actor.\r\nPlease revisit the prior post for a more detailed examination and the Advanced Search query used. Figure 3 below shows the\r\nresults of running the query at that time.\r\nFigure 3: Advanced Search query results for the certificates containing \"AES.\"\r\nFocusing on the certificates of 96.43.101[.]248 , we noticed a CloudFlare (CF) certificate we hadn't dug into previously.\r\nUsing well-known services can greatly hinder analysis, allowing the infrastructure to blend in with benign servers.\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 2 of 8\n\nTechniques like these have been seen in other operations, such as those targeting government mail servers. We'll touch on a\r\nprobable query that will allow us to get around this temporary roadblock later.\r\nFigure 4: SSL History for the subject IP illustrates the AES and CloudFlare certs (Hunt).\r\nInterestingly, the most recent certificate (SHA-256:\r\n130c463eefbfbdc2b33eefbfbd18efbfbd030819e3abbc08efbfbd5342efbfbd77efbfbd01efbfbd) from the above screenshot\r\ncontains the domain name vabercoach[.]com .\r\nFigure 5: Certificate details for 96.43.101[.]248 (Hunt).\r\nClicking on the \"Certificate IPs' button, we find our first pivot, a single IP address sharing this same certificate:\r\n223.26.52[.]245.\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 3 of 8\n\nFigure 6: Screenshot of the shared certificate IPs (Hunt).\r\nOur investigation into vabercoach[.]com led us to various sandboxes, including VirusTotal and Hatching Triage, and sources\r\nlike X/Twitter, which revealed a malicious file named 'Meeting Invitation.msc' (SHA-256:\r\n397afb74746b2fe01abc63789412b38f44ceb234a278a04b85b2bb5b4e64cc8c) communicating with the domain.\r\nNotably, the same file name was observed in the Operation ControlPlug campaign, as documented by NTT.\r\nThe screenshot below (Figure 7) illustrates network traffic from Hatching Triage. It shows calls to the domain's\r\nendpoint/unit and activity involving an additional domain, loginge[.]com .\r\nFigure 7: The network portion of the analysis of 'Meeting Invitation.msc' (Triage).\r\nNote: The domains in the above figure resolve to CloudFlare allocated network space, thus hiding the true IP address.\r\nBefore diving into the remainder of the servers linked to DarkPeony, below is a pseudo-query that may assist in identifying\r\nadditional CloudFlare certificates with minimal false positives. The following criteria should serve as a starting point for\r\nanalysts seeking to expand their investigation and include ASNs as they are found:\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 4 of 8\n\nJARM Fingerprint: \"2ad2ad0002ad2ad22c2ad2ad2ad2ad703dc1bf20eb9604decefea997eabff7\" AND Subject Common\r\nName:\"CloudFlare Origin Certificate\" AND ASN:\"152194, 137443\"\r\nThe above could be enhanced to include port 443, which the certificate uses almost exclusively. Keep in mind that if the\r\nactor(s) changes the port in the future, we will need to adjust accordingly.\r\nAdditional Links\r\nWe'll continue our findings by featuring the 'AES' and CloudFlare certificates and identify any domains associated with the\r\nIPs. Unfortunately, we have not found any additional malware samples communicating with or referenced by the below.\r\nOur first server, 146.66.215[.]19 stands out as an anomaly compared to the rest of the infrastructure. This IP address is\r\nprovided by Datacamp Limited, located in Great Britain. Figure 8 shows the hosted certificates.\r\nFigure 8: SSL History overview for 146.66.215[.]19 (Hunt).\r\ncouncilofwizards[.]com is the single domain linked to this server using CloudFlare services.\r\n45.32.105[.]184\r\nAnother server, 45.32.105[.]184 , is provided by Vultr Holdings, LLC, located in Singapore. The domain associated with\r\nthis CloudFlare certificate, thelocaltribe[.]com follows the same patterns noted earlier in this analysis.\r\nFigure 9: Screenshot of the certificate overview for 45.32.105[.]184 (Hunt).\r\nTime For Something Different?\r\n149.104.2[.]160\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 5 of 8\n\nHosted by XNNET LLC in Hong Kong, 149.104.2[.]160 presents a different characteristic. Unlike the previously\r\nmentioned servers, this IP does not use the 'AES' certificate but instead uses CloudFlare and another cert commonly reported\r\nas used by other threat actors to deploy malware like PlugX.\r\nThe certificate fields contain the following:\r\nSubject Common Name: Root CA\r\nSubject Country: US\r\nSubject Organization: TrustAsia Technologies, Inc.\r\nSubject Organizational Unit: Domain Validated SSL\r\nSubject City: Seattle\r\nSubject State: Washington.\r\nDomain for CF cert on 149.104.2[.]160: smldatacenter[.]com\r\nFigure 10: SSL History for 149.104.2[.]160 (Hunt).\r\n202.91.36[.]213\r\nOur final IP we'll cover also uses the CF and TrustAsia certificates at 202.91.36[.]213 , hosted on ChangLian Network\r\nTechnology Co., Limited.\r\nkentscaffolders[.]com is the domain linked to the CloudFlare cert on this server.\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 6 of 8\n\nFigure 11: Certificate fields showing the kentscaffolders[.]com domain name (Hunt).\r\nHonorable mention: Rounding out the above IPs using the CF \u0026 TrustAsia certificates is 223.26.52[.]208 on the CTG\r\nServer Limited network. The second domain seen earlier communicating with the malicious .msc file, loginge[.]com, is\r\nlisted as a DNS name for the CloudFlare certificate.\r\nConclusion\r\nIn this post, we expanded on previously observed IPs/domains linked to DarkPeony, highlighting their continued use of\r\ncertificate and domain registration practices to obfuscate malicious activity using legitimate services. The threat actor uses\r\nwildcard certificates with domains protected by CloudFlare to conceal the actual IP addresses and facilitate malware\r\ncommunication, effectively complicating tracking efforts.\r\nOur focus was on the most recent IP addresses linked to this infrastructure. These elements provide valuable insights into the\r\nactor's constant operations. Security teams are encouraged to leverage these indicators to proactively hunt for emerging\r\ninfrastructure as it appears, allowing for earlier detection and disruption of DarkPeony's activities.\r\nNetwork Observables\r\nIP Address Country ASN Certs/Hash\r\n103.107.105[.]81 HK ADCDATA.COM\r\nCloudFlare:\r\n708D60B51595D2CDB313E40E9215E3857D931AC9368F308B4FC3244C75BB2\r\nTrustAsia:\r\nD64C9AAA5447427AA5DEB13FF80FF1D73B8C074F1666AB452A80E0BD4582\r\n96.43.101.248 US Ethr.Net LLC\r\nAES:\r\n994260498E6BDAD93AF7052C99CC7A894A0B9D509BCF28391399F0BBF41FB\r\nCloudFlare:\r\n130C463ED1C2B33E88F618DC030819E3ABBC0898E953428888DA77EDDF01C\r\n223.26.52.245 HK\r\nCTG Server\r\nLimited\r\nCloudFlare:\r\n130C463ED1C2B33E88F618DC030819E3ABBC0898E953428888DA77EDDF01C\r\n146.66.215.19 GB\r\nDatacamp\r\nLimited\r\nAES:\r\nB9949EF3D7FED686ECAF04CC9EBEBC55FB7594C94F51E9794AB7BC4BB32\r\nCloudFlare:\r\n3BCBED98FAF9C8ADDAEDF04DBBB04D0BF457190DBC98E5548183EEEAC\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 7 of 8\n\nIP Address Country ASN Certs/Hash\r\n45.32.105.184 SG\r\nThe Constant\r\nCompany\r\nAES:\r\nA0097944D47F7174231CE7A38A3C25CC51D9E9A70D5574CE04AA427EE6A3\r\nCloudFlare:\r\n05D9D2785E08FED0BD3BE97BD267CD56752381A5F032FE8D140A9A0AE54F\r\n149.104.2.160 HK XNNET LLC\r\nCloudFlare:\r\nEEB4AE9ACC598DE874257A70941EDDA377C9EF45E7F3059C8C5D28778F87\r\nTrustAsia:\r\n2F35B0A119A7CA8204F4D158ABCDC90163B0F19F968367C685ED3A86258C4\r\n202.91.36.213 HK\r\nChangLian\r\nNetwork\r\nTechnology Co.,\r\nLimited\r\nCloudFlare:\r\n6D14946DB325352CF82161B5AA1BB3442F6B980269A0CDBFEDB1311DC795\r\nTrustAsia:\r\nF888DA96249AEA874229554A433EE3E5AB2483D400EF10C20FDA4118149F4\r\n223.26.52[.]208 HK\r\nCTG Server\r\nLimited\r\nCloudFlare: 366e5abec0c2495720223e0438996ebff3d3596fd516e5a06d9c908c7c2\r\nTrustAsia:\r\n6CFB62E5FEAE0DE193B3F04B47E534A95BDE79FBE3B74E582233F341C510E\r\nSource: https://hunt.io/blog/darkpeony-certificate-patterns\r\nhttps://hunt.io/blog/darkpeony-certificate-patterns\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/darkpeony-certificate-patterns"
	],
	"report_names": [
		"darkpeony-certificate-patterns"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434025,
	"ts_updated_at": 1775826763,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/103db2e3d848ef230432f42c9cb37fea746cdde8.pdf",
		"text": "https://archive.orkl.eu/103db2e3d848ef230432f42c9cb37fea746cdde8.txt",
		"img": "https://archive.orkl.eu/103db2e3d848ef230432f42c9cb37fea746cdde8.jpg"
	}
}