{
	"id": "a221f8ab-4c0c-461d-ac97-f4eba177c3fc",
	"created_at": "2026-04-06T00:13:01.646005Z",
	"updated_at": "2026-04-10T03:20:24.621637Z",
	"deleted_at": null,
	"sha1_hash": "7305644c8803f54e93b883a7f9f7ca4801f86ab2",
	"title": "How To Track Malware Infrastructure - Identifying Laplas Infrastructure Using Hardcoded TLS Certificates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 438643,
	"plain_text": "How To Track Malware Infrastructure - Identifying Laplas\r\nInfrastructure Using Hardcoded TLS Certificates\r\nBy Matthew\r\nPublished: 2023-05-18 · Archived: 2026-04-05 12:44:50 UTC\r\nVarious queries for locating potential Laplas Infrastructure. Based on an IP found in a Laplas sample from\r\nMalware Bazaar.\r\nThe full list can be found at the end of post.\r\nLink to Sample\r\nSHA256: 825b0080782dee075f8aac11c3a682f86c5d3aa5462bd16be0ed511a181dd7ba\r\nLinks to relevant existing research by OALABS and Chris Duggan. Chris in particular has some work that is very\r\nsimilar to this.\r\nSearching this IP in Shodan reveals a server that redirects to https://laplas[.].app\r\nhttps://embee-research.ghost.io/laplas-clipper-infrastructure/\r\nPage 1 of 4\n\nSearching laplas.app reveals 27 servers. Each server appears to be a redirector to the main Laplas site.\r\nSearching laplas.app in Censys reveals 22 servers. Two of which were not in the original Shodan list.\r\nOne result 31.42.176[.]127 contains a reference to CN=Laplas.app . This result appears to be the primary\r\nserver.\r\nSearching for the common name of laplas.app does not reveal additional infrastructure. Only the initial result\r\nof 31.42.176[.]127 was found.\r\nhttps://embee-research.ghost.io/laplas-clipper-infrastructure/\r\nPage 2 of 4\n\nOf the 22 results with Censys, No other common names were available that could be used for pivoting.\r\nOnly one Jarm hash was available. This was a common Jarm fingerprint with around 205K results and hence was\r\nnot useful for pivoting.\r\nservices.jarm.fingerprint=15d3fd16d29d29d00042d43d000000fe02290512647416dcf0a400ccbc0b6b\r\nComplete List of Potential Laplas Stealer Infrastructure\r\nComplete list of IP's based on searches for laplas.app in both Shodan and Censys.\r\nhttps://embee-research.ghost.io/laplas-clipper-infrastructure/\r\nPage 3 of 4\n\n31.42.176[.]127\r\n37.220.87[.]60\r\n45.81.243[.]208\r\n45.159.188[.]109\r\n45.159.188[.]158\r\n45.159.189[.]33\r\n45.159.189[.]105\r\n65.109.140[.]234\r\n78.153.130[.]208\r\n79.137.195[.]205\r\n79.137.199[.]252\r\n80.85.241[.]66\r\n85.192.40[.]252\r\n85.192.41[.]87\r\n89.23.97[.]128\r\n89.185.85[.]79\r\n95.214.27[.]252\r\n104.193.254[.]40\r\n104.193.255[.]50\r\n163.123.142[.]220\r\n176.113.115[.]25\r\n185.106.92[.]104\r\n185.174.137[.]94\r\n185.209.161[.]89\r\n185.213.208[.]247\r\n185.223.93[.]251\r\n193.188.23[.]86\r\n195.133.75[.]43\r\n212.113.106[.]172\r\nSign up for Embee Research\r\nMalware Analysis and Threat Intelligence Research\r\nNo spam. Unsubscribe anytime.\r\nSource: https://embee-research.ghost.io/laplas-clipper-infrastructure/\r\nhttps://embee-research.ghost.io/laplas-clipper-infrastructure/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://embee-research.ghost.io/laplas-clipper-infrastructure/"
	],
	"report_names": [
		"laplas-clipper-infrastructure"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7305644c8803f54e93b883a7f9f7ca4801f86ab2.pdf",
		"text": "https://archive.orkl.eu/7305644c8803f54e93b883a7f9f7ca4801f86ab2.txt",
		"img": "https://archive.orkl.eu/7305644c8803f54e93b883a7f9f7ca4801f86ab2.jpg"
	}
}