{ "id": "b78cb4b9-7541-49ce-96c4-f0d2721e9b1c", "created_at": "2026-04-06T00:11:55.706596Z", "updated_at": "2026-04-10T13:12:53.008929Z", "deleted_at": null, "sha1_hash": "14ccf501b56705b6b411ae35b3ed5cc4f10f98f2", "title": "Unmasking Adversary Infrastructure: How Certificates and Redirects Exposed Earth Baxia and PlugX Activity", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1939598, "plain_text": "Unmasking Adversary Infrastructure: How Certificates and Redirects\r\nExposed Earth Baxia and PlugX Activity\r\nPublished: 2024-10-10 ยท Archived: 2026-04-05 21:23:09 UTC\r\nTABLE OF CONTENTS\r\nIntroductionIdentifying Earth Baxia InfrastructureIdentifying PlugX Servers Through Anomalous Certificates and\r\nRedirectsConclusionEarth Baxia Network Observables\r\nIntroduction\r\nTracking adversary infrastructure often starts with subtle clues. In this case, unconventional certificates and unique HTTP\r\nredirect headers led us to two distinct malicious networks. One network was linked to Earth Baxia, a threat actor identified\r\nby Trend Micro believed to be from China, while the other appears to be connected to PlugX, based on our telemetry.\r\nWhile these two infrastructures were tracked independently and are not connected, following these basic indicators helped\r\nus map out clusters of servers likely used in network intrusions.\r\nThis post details the steps taken to uncover and track these networks.\r\nIdentifying Earth Baxia Infrastructure\r\nAfter reviewing the Trend Micro report, we analyzed the IOCs to identify any additional infrastructure potentially linked to\r\nEarth Baxia. Our research uncovered Cloudflare certificates with Subject Alternative Name (SAN) domains resembling\r\nthose mentioned in the blog post. SANs are extensions within SSL/TLS certificates that list additional domain names, or IP\r\naddresses a certificate can secure beyond the primary domain.\r\nCloudFlare certificate:\r\nSubjectCommonName: CloudFlare Origin Certificate\r\nSubjectOrganization: CloudFlare, Inc.\r\nSubjectOrganizationalUnit: CloudFlare Origin CA\r\nIssuer Country: US\r\nIssuerOrganization: CloudFlare, Inc.\r\nIssuerOrganizationalUnit: CloudFlare Origin SSL Certificate Authority\r\nIssuerLocality: San Francisco\r\nDNSNames: *.viet-tel[.]site\r\nviet-tel[.]site\r\n \r\nCopy\r\nAn example of one of the Cloudflare certificates found at 203.25.119[.]28.\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 1 of 7\n\nWe also discovered several self-signed certificates falsely claimed to have been issued by Microsoft, adding to the\r\nsuspicious nature of the infrastructure. Over the same period, many servers hosting these certificates were also observed to\r\nserve the Cloudflare certificates mentioned above. Combined with the HTTP redirects, which we'll mention shortly, these\r\nindicators pointed to a small but distinct cluster of 12 likely malicious servers, all of which we attribute to Earth Baxia based\r\non our visibility.\r\nThe complete list of the IPs, domains, and redirect URLs is included at the end of this post.\r\n\"Microsoft\" self-signed certificate:\r\nSubjectCommonName: bing[.]com\r\nSubjectCountry: US\r\nSubjectOrganization: Microsoft Corporation\r\nSubjectOrganizationalUnit: Microsoft IT\r\nSubjectLocality: Redmond\r\nSubjectProvince: Washington\r\nIssuer data: same as above\r\n \r\nCopy\r\nThis cert was also seen at 203.25.119[.]28 during the same period.\r\nThe HTTP 301 redirects we observed were primarily over ports 443 and 8443, directing users to well-known legitimate\r\nwebsites like the FBI, NASA, and eBay homepages. This technique was likely used to create an illusion of benign activity,\r\nblending malicious behavior into what seemed like standard traffic patterns.\r\nAttackers often leverage open-source redirector tools such as RedGuard or RedWarden to obscure the actual location of\r\ncommand-and-control (C2) servers and evade detection by researchers. However, in this case, there was no evidence that\r\neither of these tools was employed, suggesting a custom header was used to achieve a similar effect.\r\nHTTP/1.1 301 Moved Permanently\r\nDate: Wed, 2 Oct 2024 08:25:21 GMT **Value varies\r\nContent-Type: text/html\r\nContent-Length: 106 **Value varies\r\n \r\nCopy\r\nHTTP 301 redirect used in Earth Baxia malicious servers.\r\nThe selection of the redirect URLs used appears strategic, focusing on high-profile organizations in the defense,\r\nintelligence, and software sectors. These choices suggest that the attacker(s) aimed to blend into environments where\r\nmilitary or government-related traffic is commonplace.\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 2 of 7\n\nNoteworthy Redirect URLs:\r\nwww[.]jdf.mil[.]jm: This domain belongs to the Jamaica Defence Force (JDF), Jamaica's official military\r\norganization.\r\nwww[.]sap[.]com: Redirects to the official website of SAP, a global leader in enterprise software solutions.\r\nwww[.]mil[.]ru: The official website of the Russian Ministry of Defense, frequently targeted or spoofed in various\r\ncampaigns.\r\nwww[.]mi6.gov[.]uk: This domain redirects to the UK's Secret Intelligence Service (SIS), commonly referred to as\r\nMI6, which uses the official domain sis.gov[.]uk.\r\nwww[.]pao.af[.]mil: A spoof of the Public Affairs Office of the United States Air Force. Visiting this domain results\r\nin an HTTP 400 error.\r\n\u003chtml\u003e\u003chead\u003e\u003cmeta http-equiv=\"refresh\" content=\"0; url=https://www.jdf.mil[.]jm\"\u003e\u003c/head\u003e\u003cbody\u003e\u003c/body\u003e\u003c/html\r\n \r\nCopy\r\nRedirect URL hosted at 203.55.176[.]207:8443\r\nIdentifying PlugX Servers Through Anomalous Certificates and Redirects\r\nWhile hunting for unusual SSL/TLS certificates, our research team came across a small set of servers, some identified as\r\nPlugX C2 nodes. A notable pattern emerged among these IPs--the letters \"AES\" appeared consistently in the Subject\r\nOrganizational Unit field of the certificates.\r\nExamples of the certificates we encountered are below.\r\nSubjectCommonName: Rootxlhijori\r\nSubjectCountry: yo\r\nSubjectOrganization: Asfft\r\nSubjectOrganizationalUnit: AES\r\nSubjectLocality: nmdmkivk\r\nSubjectProvince: Lostxoxk\r\n \r\nCopy\r\nAn example certificate for 96.43.101[.]248.\r\nSubjectCommonName: Rootabmxucet\r\nSubjectCountry: qy\r\nSubjectOrganization: Asxee\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 3 of 7\n\nSubjectOrganizationalUnit: tnkkAES\r\nSubjectLocality: esfzhk\r\nSubjectProvince: Losududrj\r\n \r\nCopy\r\nSuspicious certificated hosted at 45.133.239[.]188.\r\nWe developed a Hunt Advanced Search query targeting servers with similar certificate characteristics to narrow our analysis.\r\nThis resulted in 5 unique IP addresses, indicating a cluster of infrastructure tied to PlugX operations.\r\nsubject.organizational_unit:/AES/ AND subject.common_name:/^[A-Za-z]+$/ AND issuer.common_name:/^[A-Za-z]+$/ AND ja4x:c9d784bbb12e_c9\r\n \r\nCopy\r\nAdvanced Search query for PlugX linked certificates.\r\nThe query is designed to filter for certificates where the OrganizationalUnit field contains 'AES' and both the Subject\r\nCommonName and Issuer CommonName contain only alphabetical characters.\r\nAdditionally, the query looks for a specific JA4X fingerprint. The screenshot below shows our findings.\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 4 of 7\n\nFigure 1: Query results for suspicious PlugX certificates. Search conducted on 03 October (Hunt Link)\r\nFour of the five results in Figure 1 had ports already detected as PlugX on the Hunt platform:\r\n38.54.85[.]112 -- Ports: 443, 5000\r\n45.133.239[.]188 -- Port: 5000\r\n45.251.243[.]210 -- Port: 6000\r\n96.43.101[.]248 -- Port: 5000\r\nAfter identifying the IPs tied to the suspicious certificates, we also observed HTTP 302 redirects. These redirects were\r\nconsistently seen on ports 80 and 8088, commonly used for unencrypted HTTP traffic. In this case, all the redirects pointed\r\nto the same domain: https://www.google.com.\r\nAn example of the redirect header is as follows:\r\nHTTP/1.1 302 ok\r\nLOCATION: https://www.google.com\r\n \r\nCopy\r\nThe lowercase \"ok\" in the status code is unusual. It could indicate hastily constructed, or custom HTTP responses likely\r\nmeant to mimic legitimate headers while slightly deviating from standard HTTP formatting.\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 5 of 7\n\nAlso, notice the all-caps \"LOCATION\" header and the redirection to Google.\r\nFigure 2: Custom HTTP 302 response at 45.133.239[.]188 (Hunt Link).\r\nConclusion\r\nIn this investigation, we uncovered two distinct clusters of malicious infrastructure. The first, tied to Earth Baxia, revealed\r\nsuspicious certificates and HTTP 301 redirects that pointed users to trusted sites like the FBI homepage, suggesting an\r\nattempt to obscure malicious activity.\r\nThe second set of servers, potentially linked to a more extensive PlugX campaign, was identified by anomalous certificates\r\ncontaining the \"AES\" string and HTTP 302 redirects to Google. These minor yet significant anomalies in certificates and\r\nheaders helped us identify and track this infrastructure, offering valuable insights for further investigation and defense.\r\nMonitoring indicators like those discussed above lets defenders pinpoint suspicious infrastructure early on, allowing them to\r\nuncover malicious activity before an attack is fully underway. This proactive approach gives security teams a valuable head\r\nstart in preventing potential threats from escalating.\r\nEarth Baxia Network Observables\r\nIP Address ASN Certificate Domain(s) Redirect URL\r\nHost\r\nCountry\r\nLas\r\nSeen\r\n18.162.111[.]155\r\nAmazon.com,\r\nInc.\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nvisualstudio-microsoft[.]com\r\nhttps://www.dropbox[.]com HK\r\n2024\r\n09-2\r\n43.239.249[.]243\r\nxTom Japan\r\nCo., Ltd.\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nindex.caihongyun[.]cc\r\nSAN:\r\ntaipeilivecenter[.]online\r\noca[.]pics\r\nhttps://www.pao.af[.]mil JP\r\n2024\r\n09-2\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 6 of 7\n\nIP Address ASN Certificate Domain(s) Redirect URL\r\nHost\r\nCountry\r\nLas\r\nSeen\r\n45.76.153[.]76\r\nThe Constant\r\nCompany,\r\nLLC\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\npromociin.com\r\napi.promociin[.]com\r\nkallpod-asia.kallfly[.]com\r\napi.s2.baxtool[.]ru\r\nSAN:\r\nislot[.]ink\r\nhttps://www.mi6.gov[.]uk SG\r\n2024\r\n10-0\r\n45.153.129[.]96\r\nCloudie\r\nLimited\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\n51xiatian[.]cc\r\napp.51xiatian[.]cc\r\nwww.youke2[.]top\r\nSAN:\r\ns3-microsoft[.]com\r\nhttps://www.ebay[.]com HK\r\n2024\r\n10-0\r\n96.9.213[.]142\r\nDatacamp\r\nLimited\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nSAN:\r\ntrendmicrotech[.]com\r\nhttps://www.mil[.]ru SG\r\n2024\r\n09-2\r\n96.9.212[.]181\r\nDatacamp\r\nLimited\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nSAN:\r\nnaver-info[.]store\r\nskt-info[.]online\r\nhttps://www.ups[.]com SG\r\n2024\r\n09-2\r\n103.199.16[.]232\r\n365 Online\r\ntechnology\r\njoint stock\r\ncompany\r\nCloudflare N/A N/A VN\r\n2024\r\n10-0\r\n128.199.126[.]48\r\nDigitalOcean,\r\nLLC\r\nLet's\r\nEncrypt\r\nSAN:\r\nxhq.yidaplays[.]ink\r\nhttps://www.sap[.]com SG\r\n2024\r\n09-2\r\n172.93.189[.]206\r\nGigabit\r\nHosting Sdn\r\nBhd\r\nCloudflare N/A https://www.wikipedia[.]org HK\r\n2024\r\n09-2\r\n172.93.189[.]209\r\nGigabit\r\nHosting Sdn\r\nBhd\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nSAN:\r\ns3bucket-azure[.]online\r\nhttps://www.google[.]com HK\r\n2024\r\n10-0\r\n203.25.119[.]28\r\nGigabit\r\nHosting Sdn\r\nBhd\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nSAN:\r\nviet-tel[.]site\r\nhttps://www.fbi[.]gov HK\r\n2024\r\n09-2\r\n203.55.176[.]207\r\nDatacamp\r\nLimited\r\nCloudflare\r\n\u0026\r\nMicrosoft\r\nSAN:\r\ntransfer-server[.]store\r\nhttps://www.jdf.mil[.]jm SG\r\n2024\r\n10-0\r\nSource: https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nhttps://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity" ], "report_names": [ "unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity" ], "threat_actors": [ { "id": "f45af9e4-5037-4a5a-82c1-4627845eea49", "created_at": "2024-09-26T02:00:04.286721Z", "updated_at": "2026-04-10T02:00:03.707415Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "MISPGALAXY:Earth Baxia", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4b7f4f69-7c56-4691-9071-9365884a7f30", "created_at": "2024-10-25T02:02:07.672671Z", "updated_at": "2026-04-10T02:00:04.660715Z", "deleted_at": null, "main_name": "Earth Baxia", "aliases": [], "source_name": "ETDA:Earth Baxia", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "EAGLEDOOR", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/14ccf501b56705b6b411ae35b3ed5cc4f10f98f2.pdf", "text": "https://archive.orkl.eu/14ccf501b56705b6b411ae35b3ed5cc4f10f98f2.txt", "img": "https://archive.orkl.eu/14ccf501b56705b6b411ae35b3ed5cc4f10f98f2.jpg" } }