Unmasking Adversary Infrastructure: How Certificates and Redirects
Exposed Earth Baxia and PlugX Activity
Published: 2024-10-10 · Archived: 2026-04-05 21:23:09 UTC
TABLE OF CONTENTS
IntroductionIdentifying Earth Baxia InfrastructureIdentifying PlugX Servers Through Anomalous Certificates and
RedirectsConclusionEarth Baxia Network Observables
Introduction
Tracking adversary infrastructure often starts with subtle clues. In this case, unconventional certificates and unique HTTP
redirect headers led us to two distinct malicious networks. One network was linked to Earth Baxia, a threat actor identified
by Trend Micro believed to be from China, while the other appears to be connected to PlugX, based on our telemetry.
While these two infrastructures were tracked independently and are not connected, following these basic indicators helped
us map out clusters of servers likely used in network intrusions.
This post details the steps taken to uncover and track these networks.
Identifying Earth Baxia Infrastructure
After reviewing the Trend Micro report, we analyzed the IOCs to identify any additional infrastructure potentially linked to
Earth Baxia. Our research uncovered Cloudflare certificates with Subject Alternative Name (SAN) domains resembling
those mentioned in the blog post. SANs are extensions within SSL/TLS certificates that list additional domain names, or IP
addresses a certificate can secure beyond the primary domain.
CloudFlare certificate:
SubjectCommonName: CloudFlare Origin Certificate
SubjectOrganization: CloudFlare, Inc.
SubjectOrganizationalUnit: CloudFlare Origin CA
Issuer Country: US
IssuerOrganization: CloudFlare, Inc.
IssuerOrganizationalUnit: CloudFlare Origin SSL Certificate Authority
IssuerLocality: San Francisco
DNSNames: *.viet-tel[.]site
viet-tel[.]site
 
Copy
An example of one of the Cloudflare certificates found at 203.25.119[.]28.
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 1 of 7

We also discovered several self-signed certificates falsely claimed to have been issued by Microsoft, adding to the
suspicious nature of the infrastructure. Over the same period, many servers hosting these certificates were also observed to
serve the Cloudflare certificates mentioned above. Combined with the HTTP redirects, which we'll mention shortly, these
indicators pointed to a small but distinct cluster of 12 likely malicious servers, all of which we attribute to Earth Baxia based
on our visibility.
The complete list of the IPs, domains, and redirect URLs is included at the end of this post.
"Microsoft" self-signed certificate:
SubjectCommonName: bing[.]com
SubjectCountry: US
SubjectOrganization: Microsoft Corporation
SubjectOrganizationalUnit: Microsoft IT
SubjectLocality: Redmond
SubjectProvince: Washington
Issuer data: same as above
 
Copy
This cert was also seen at 203.25.119[.]28 during the same period.
The HTTP 301 redirects we observed were primarily over ports 443 and 8443, directing users to well-known legitimate
websites like the FBI, NASA, and eBay homepages. This technique was likely used to create an illusion of benign activity,
blending malicious behavior into what seemed like standard traffic patterns.
Attackers often leverage open-source redirector tools such as RedGuard or RedWarden to obscure the actual location of
command-and-control (C2) servers and evade detection by researchers. However, in this case, there was no evidence that
either of these tools was employed, suggesting a custom header was used to achieve a similar effect.
HTTP/1.1 301 Moved Permanently
Date: Wed, 2 Oct 2024 08:25:21 GMT **Value varies
Content-Type: text/html
Content-Length: 106 **Value varies
 
Copy
HTTP 301 redirect used in Earth Baxia malicious servers.
The selection of the redirect URLs used appears strategic, focusing on high-profile organizations in the defense,
intelligence, and software sectors. These choices suggest that the attacker(s) aimed to blend into environments where
military or government-related traffic is commonplace.
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 2 of 7

Noteworthy Redirect URLs:
www[.]jdf.mil[.]jm: This domain belongs to the Jamaica Defence Force (JDF), Jamaica's official military
organization.
www[.]sap[.]com: Redirects to the official website of SAP, a global leader in enterprise software solutions.
www[.]mil[.]ru: The official website of the Russian Ministry of Defense, frequently targeted or spoofed in various
campaigns.
www[.]mi6.gov[.]uk: This domain redirects to the UK's Secret Intelligence Service (SIS), commonly referred to as
MI6, which uses the official domain sis.gov[.]uk.
www[.]pao.af[.]mil: A spoof of the Public Affairs Office of the United States Air Force. Visiting this domain results
in an HTTP 400 error.
<html><head><meta http-equiv="refresh" content="0; url=https://www.jdf.mil[.]jm"></head><body></body></html
 
Copy
Redirect URL hosted at 203.55.176[.]207:8443
Identifying PlugX Servers Through Anomalous Certificates and Redirects
While hunting for unusual SSL/TLS certificates, our research team came across a small set of servers, some identified as
PlugX C2 nodes. A notable pattern emerged among these IPs--the letters "AES" appeared consistently in the Subject
Organizational Unit field of the certificates.
Examples of the certificates we encountered are below.
SubjectCommonName: Rootxlhijori
SubjectCountry: yo
SubjectOrganization: Asfft
SubjectOrganizationalUnit: AES
SubjectLocality: nmdmkivk
SubjectProvince: Lostxoxk
 
Copy
An example certificate for 96.43.101[.]248.
SubjectCommonName: Rootabmxucet
SubjectCountry: qy
SubjectOrganization: Asxee
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 3 of 7

SubjectOrganizationalUnit: tnkkAES
SubjectLocality: esfzhk
SubjectProvince: Losududrj
 
Copy
Suspicious certificated hosted at 45.133.239[.]188.
We developed a Hunt Advanced Search query targeting servers with similar certificate characteristics to narrow our analysis.
This resulted in 5 unique IP addresses, indicating a cluster of infrastructure tied to PlugX operations.
subject.organizational_unit:/AES/ AND subject.common_name:/^[A-Za-z]+$/ AND issuer.common_name:/^[A-Za-z]+$/ AND ja4x:c9d784bbb12e_c9
 
Copy
Advanced Search query for PlugX linked certificates.
The query is designed to filter for certificates where the OrganizationalUnit field contains 'AES' and both the Subject
CommonName and Issuer CommonName contain only alphabetical characters.
Additionally, the query looks for a specific JA4X fingerprint. The screenshot below shows our findings.
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 4 of 7

Figure 1: Query results for suspicious PlugX certificates. Search conducted on 03 October (Hunt Link)
Four of the five results in Figure 1 had ports already detected as PlugX on the Hunt platform:
38.54.85[.]112 -- Ports: 443, 5000
45.133.239[.]188 -- Port: 5000
45.251.243[.]210 -- Port: 6000
96.43.101[.]248 -- Port: 5000
After identifying the IPs tied to the suspicious certificates, we also observed HTTP 302 redirects. These redirects were
consistently seen on ports 80 and 8088, commonly used for unencrypted HTTP traffic. In this case, all the redirects pointed
to the same domain: https://www.google.com.
An example of the redirect header is as follows:
HTTP/1.1 302 ok
LOCATION: https://www.google.com
 
Copy
The lowercase "ok" in the status code is unusual. It could indicate hastily constructed, or custom HTTP responses likely
meant to mimic legitimate headers while slightly deviating from standard HTTP formatting.
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 5 of 7

Also, notice the all-caps "LOCATION" header and the redirection to Google.
Figure 2: Custom HTTP 302 response at 45.133.239[.]188 (Hunt Link).
Conclusion
In this investigation, we uncovered two distinct clusters of malicious infrastructure. The first, tied to Earth Baxia, revealed
suspicious certificates and HTTP 301 redirects that pointed users to trusted sites like the FBI homepage, suggesting an
attempt to obscure malicious activity.
The second set of servers, potentially linked to a more extensive PlugX campaign, was identified by anomalous certificates
containing the "AES" string and HTTP 302 redirects to Google. These minor yet significant anomalies in certificates and
headers helped us identify and track this infrastructure, offering valuable insights for further investigation and defense.
Monitoring indicators like those discussed above lets defenders pinpoint suspicious infrastructure early on, allowing them to
uncover malicious activity before an attack is fully underway. This proactive approach gives security teams a valuable head
start in preventing potential threats from escalating.
Earth Baxia Network Observables
IP Address ASN Certificate Domain(s) Redirect URL
Host
Country
Las
Seen
18.162.111[.]155
Amazon.com,
Inc.
Cloudflare
&
Microsoft
visualstudio-microsoft[.]com
https://www.dropbox[.]com HK
2024
09-2
43.239.249[.]243
xTom Japan
Co., Ltd.
Cloudflare
&
Microsoft
index.caihongyun[.]cc
SAN:
taipeilivecenter[.]online
oca[.]pics
https://www.pao.af[.]mil JP
2024
09-2
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 6 of 7

IP Address ASN Certificate Domain(s) Redirect URL
Host
Country
Las
Seen
45.76.153[.]76
The Constant
Company,
LLC
Cloudflare
&
Microsoft
promociin.com
api.promociin[.]com
kallpod-asia.kallfly[.]com
api.s2.baxtool[.]ru
SAN:
islot[.]ink
https://www.mi6.gov[.]uk SG
2024
10-0
45.153.129[.]96
Cloudie
Limited
Cloudflare
&
Microsoft
51xiatian[.]cc
app.51xiatian[.]cc
www.youke2[.]top
SAN:
s3-microsoft[.]com
https://www.ebay[.]com HK
2024
10-0
96.9.213[.]142
Datacamp
Limited
Cloudflare
&
Microsoft
SAN:
trendmicrotech[.]com
https://www.mil[.]ru SG
2024
09-2
96.9.212[.]181
Datacamp
Limited
Cloudflare
&
Microsoft
SAN:
naver-info[.]store
skt-info[.]online
https://www.ups[.]com SG
2024
09-2
103.199.16[.]232
365 Online
technology
joint stock
company
Cloudflare N/A N/A VN
2024
10-0
128.199.126[.]48
DigitalOcean,
LLC
Let's
Encrypt
SAN:
xhq.yidaplays[.]ink
https://www.sap[.]com SG
2024
09-2
172.93.189[.]206
Gigabit
Hosting Sdn
Bhd
Cloudflare N/A https://www.wikipedia[.]org HK
2024
09-2
172.93.189[.]209
Gigabit
Hosting Sdn
Bhd
Cloudflare
&
Microsoft
SAN:
s3bucket-azure[.]online
https://www.google[.]com HK
2024
10-0
203.25.119[.]28
Gigabit
Hosting Sdn
Bhd
Cloudflare
&
Microsoft
SAN:
viet-tel[.]site
https://www.fbi[.]gov HK
2024
09-2
203.55.176[.]207
Datacamp
Limited
Cloudflare
&
Microsoft
SAN:
transfer-server[.]store
https://www.jdf.mil[.]jm SG
2024
10-0
Source: https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
https://hunt.io/blog/unmasking-adversary-infrastructure-how-certificates-and-redirects-exposed-earth-baxia-and-plugx-activity
Page 7 of 7