{
	"id": "74919175-ace9-41b6-81dd-19a40694a84d",
	"created_at": "2026-04-06T00:16:05.38474Z",
	"updated_at": "2026-04-10T13:12:35.315579Z",
	"deleted_at": null,
	"sha1_hash": "7648d998e7ef2b175e3a7d19bfb7ec14495a1097",
	"title": "Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 22262421,
	"plain_text": "Uncovering Joker’s C2 Network: How Hunt’s SSL History\r\nExposed Its Infrastructure\r\nPublished: 2025-02-27 · Archived: 2026-04-05 14:43:49 UTC\r\nJoker is a mobile malware family that has targeted Android devices since at least 2017. Masquerading as\r\nlegitimate applications, it is frequently distributed through the Google Play Store, slipping past security controls\r\nbefore being removed. Once installed, it intercepts SMS messages, harvests contact lists and device information,\r\nand stealthily subscribes victims to premium services.\r\nThe malware's operators deploy their command-and-control (C2) infrastructure across cloud-hosted servers,\r\nfrequently reusing SSL certificates to encrypt communications and obscure network traffic. Tracking these\r\ncertificates and their associated IPs can expose connections between seemingly unrelated servers, offering\r\ndefenders a method to uncover and monitor malicious infrastructure over time.\r\nThis post examines the role of SSL intelligence in tracking and identifying Joker-linked C2s, showing how\r\ncertificate pivots can uncover additional infrastructure and provide insight into the malware's operational patterns.\r\nIt All Started With an APK\r\nOur research began with an APK file uploaded to Hatching Triage, an online malware sandbox, named\r\ncom.hdphoto.wallpaper4k.apk (SHA-256:\r\n7f186746152d9569421a88e506c89844eaf0c2036ab5dbe0edb0775a79d9bb9d ). A search for the file in VirusTotal\r\nshowed that six out of 47 vendors flagged it as Joker malware.\r\nThe APK's name suggests the malware operators lure potential victims under the guise of a 4K wallpaper\r\napplication. The app is not hosted on the Google Play Store as of this writing.\r\nNetwork Communication and Additional Infrastructure\r\nUpon execution, the malware initiates an HTTP POST request to http[:]//hdphoto[.]uno/conf/vcheck . This\r\ndomain resolved to 47.236.49[.]195 , and then moved to 47.237.68[.]53 in mid-February.\r\nBoth servers belong to the Alibaba Cloud network, hosted in Singapore, and have servers running nginx version\r\n1.18.0 on ports 80 and 443. The below domains also resolve to the IPs:\r\n47.236.49[.]195 → gasu[.]pw\r\n47.237.68[.]53 → femk[.]top, tuatol[.]store\r\nThe IP ending in .195 will be our starting point for this post as hdphoto[.] initially resolved to that address.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 1 of 14\n\nFigure 1: IP overview of 47.236.49[.]195 in Hunt.\r\nThe request to /conf/vcheck returns the following response:\r\nhttps[:]//hdphotouno.oss-me-east-1[.]aliyuncs[.]com/dex1_v16.txt\r\nA VirusTotal search of the resolving IP, 47.91.99[.]31 , hosted on the Alibaba network, reveals multiple APK\r\nfiles communicating with the server, many of which are detected as malicious.\r\nTesting different HTTP requests to check for unique responses is essential when tracking adversary infrastructure.\r\nThe malware sends a POST request, so we'll send a GET request in a lab environment to assess any changes.\r\nThe server responds with a Django REST framework webpage, suggesting the server is configured to handle API-based communications for managing malware-related requests. Django is an open-source web framework written\r\nin Python, and the REST framework is an extension specifically for building Web APIs.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 2 of 14\n\nFigure 2: Screenshot of the API endpoint page at hdphoto[.]uno/conf/vcheck.\r\ndex1_v16.txt (SHA-256: 2766ce69097ccb0cd9b4a7f3cf6eac19d76db2acf7d1b6844cc10d5460528138 ) contains\r\nbase64-encoded text, which we can easily decode with CyberChef. The result is an executable DEX file\r\ncontaining the Joker payload. The filename suggests versioning, with 'v16' likely indicating an iteration of the\r\ntrojan. Of note, the malware authors made no effort to obfuscate the document's name to conceal its purpose.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 3 of 14\n\nFigure 3: Result of running the contents of dex1_v16.txt in CyberChef.\r\nNext, a request to the same domain is made for another text file, encoded2.txt (SHA-256:\r\n4000d8110f92d5622a19a75d85c7af38fef810cecfe054e02779da9c1e218e5d ). This file follows a similar path as the\r\npreviously described and is likely the second stage of the attack.\r\nFinally, the malware makes repeated POST requests to https[:]//hdphoto[.]uno/1VybiUSr . Once again,\r\nsending a different HTTP request results in a different API page titled 'Aes Api.'\r\nFigure 4: Screenshot of the API endpoint page at hdphoto[.]uno/1VybiUSr.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 4 of 14\n\nTracking Joker's Infrastructure via Hunt SSL History\r\nSSL certificate analysis is a powerful tool for uncovering malicious infrastructure, tracking adversary movement,\r\nand identifying attack staging before operations go live. Building on previous research into SSL intelligence, we\r\napplied the same methodology to analyze 47.236.49[.]195 using the SSL History tab in Hunt.\r\nSSL Certificate Observations\r\nAccording to our scan data, this IP only began using SSL certificates in early February 2025. Both certificates\r\nwere issued through Let's Encrypt, a free certificate authority that automates issuance and renewal. While widely\r\nused for legitimate services, Let's Encrypt is frequently leveraged by threat actors due to its ease of acquisition and\r\nlack of strict identity validation.\r\nAdditionally, both certificates use uncommon top-level domains (TLDs) in the subject common name, similar to\r\nthe .fit, .top, and .store domains observed in the previous section. While TLDs alone aren't necessarily a strong\r\nindicator of malicious activity, the reuse of infrastructure across different certificates indicates the operators are\r\nmaintaining control over their servers rather than fully abandoning them.\r\nRotation of certificates is a common threat actor tactic used to refresh encryption keys, evade detections on\r\nspecific certificate fingerprints, or extend the lifespan of malicious infrastructure.\r\nBy pivoting on Certificate IPs, we can quickly uncover additional servers that have used these certificates---\r\nwhether actively in use or historically linked. This approach helps reconstruct attack timelines and track\r\ninfrastructure reuse, which is particularly relevant in long-running malware operations.\r\nFigure 5: Screenshot of SSL History of IP address 47.236.49[.]195 in Hunt.\r\nInfrastructure Shifts Between Certificates\r\nThe older certificate, SHA-256: 95F845F390269A3805657C9F544719C937FD458966818FADCBAD7D4CC05B69FF , issued\r\nfor airsound[.]fit was observed from February 1 to February 4, 2025, and is associated with 71 IPs, all hosted\r\nwithin Alibaba Cloud infrastructure.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 5 of 14\n\nFigure 6: Snippet of IPs related to the airsound[.]fit certificate in Hunt.\r\nThe more recent certificate, SHA-256: 5848152508ACC864869500C0DFFF20723A087019EB717131DC6D7DF51FBD75E6 ,\r\nissued for ablefee[.]wiki , was observed for a single day on February 21, 2025. Despite this short-lived\r\npresence, it appeared on 77 IPs, which completely overlapped with the older certificate but included a handful of\r\nadditional servers.\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 6 of 14\n\nFigure 7: Screenshot of 'Certificate IPs' results for ablefee[.]wiki certificate in Hunt.\r\nInfrastructure Analysis\r\nThe 77 IPs associated with the ablefee[.]wiki certificate are spread across two autonomous systems (ASNs):\r\nAlibaba.com LLC\r\nAlibaba.com Singapore E-Commerce Private Limited\r\nThe majority of these servers are hosted in Singapore, with a smaller subset located in the United States. All use\r\nthe standard port associated with TLS-encrypted communications, 443.\r\nThe domains linked to this infrastructure continue to follow the pattern of uncommon TLDs, which the threat\r\nactor(s) seem to rely heavily on. Some domains suggest potential themes designed to lure victims, such as:\r\nsecuremsg[.]store\r\nscreenlocker[.]art\r\ntimestampmark[.]me\r\nThese domains were registered through one of two providers:\r\nNameSilo\r\nAlibaba Cloud Computing Ltd. d/b/a HiChina (www[.]net[.]cn)\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 7 of 14\n\nActive Servers and Observed Payloads\r\nMany IPs and their associated domains have been flagged as malicious in VirusTotal, with several APKs identified\r\nas Joker malware. Given the ongoing activity, we focused on two servers whose certificates were still observed in\r\nHunt's scans as of February 26, 2025.\r\nServer 1: 8.222.246[.]250\r\nResolves to: cgan[.]info\r\nLikely Target: Camera app users\r\nAPK Info:\r\nFilename: com.defabook.camera_1.5.apk\r\nSHA-256: a5aa7e18aa8e0473d37661830eaf9ccd0401ee4c44de426e53e39fe47fa06ed4\r\nFigure 8: Screenshot of VirusTotal analysis of Joker payload and domain.\r\nServer 2: 8.222.195[.]150\r\nResolves to: kuen[.]work\r\nLikely Target: Users tracking water consumption\r\nAPK Info:\r\nFilename: Drinking Water_2.3.apk\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 8 of 14\n\nSHA-256: 2c0845ff2ef220b6fcdd57c30471ee854bcd886b5c7d78c468bef47436197f36\r\nFigure 9: VirusTotal analysis of Joker detected APK.\r\nConclusion\r\nJoker malware remains an active threat, relying on a few SSL certificates shared across multiple IP addresses to\r\nmaintain its infrastructure. Our analysis led to 77 Joker-linked servers across the Alibaba network, highlighting the\r\noperator's preference for certificate reuse. This approach could suggest automation is used to streamline server\r\nsetup, reducing the effort usually required to manage certificates across an extensive C2 network.\r\nCertificate tracking is crucial for identifying adversary activity, offering defenders a way to uncover infrastructure\r\nconnections that might otherwise go unnoticed. When combined, using Let's Encrypt certificates, Alibaba-hosted\r\nIPs, and unique TLDs creates a strong foundation for hunting this campaign, enabling proactive detection of\r\nrelated activity.\r\nIn addition to only downloading apps from official stores, users can reduce their risk of infection by reviewing app\r\npermissions, checking for inflated reviews, and conducting searches of web presence for apps with large\r\ndownload counts.\r\nJoker Network Observables and Indicators of Compromise (IOCs)\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 9 of 14\n\nIP Address ASN Domain(s)/Hostnames\r\n47.236.49[.]195 Alibaba (US) Technology Co., Ltd.\r\ngasu[.]pw\r\nhdphoto[.]uno\r\n47.91.99[.]31 Alibaba (US) Technology Co., Ltd. me-east-1.oss.aliyuncs.com\r\n47.237.68[.]53 Alibaba (US) Technology Co., Ltd.\r\nfemk[.]top\r\ntuatol[.]store\r\nhdphoto[.]uno\r\n47.236.99[.]235 Alibaba.com LLC N/A\r\n47.236.58[.]7 Alibaba.com LLC lushere[.]host\r\n8.219.135[.]184\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nbsjk-jp.82021819[.]com\r\npaltric[.]xin\r\n47.237.71[.]26 Alibaba.com LLC\r\nryowzs[.]fit\r\nhoful[.]homes\r\n47.236.48[.]123 Alibaba.com LLC soundbutton[.]art\r\n47.236.232[.]241 Alibaba.com LLC effeai[.]me\r\n47.236.70[.]252 Alibaba.com LLC colamati[.]fun\r\n47.84.46[.]127 Alibaba.com LLC\r\natck[.]wang\r\nphoty[.]top\r\n47.236.60[.]207 Alibaba.com LLC yamibox[.]store\r\n47.236.89[.]240 Alibaba.com LLC mablefam[.]art\r\n47.236.66[.]130 Alibaba.com LLC kxnwf[.]fun\r\n47.236.254[.]202 Alibaba.com LLC\r\npolitan[.]site\r\nvokepru[.]art\r\n47.236.64[.]124 Alibaba.com LLC\r\neureca[.]fit\r\neasdr[.]cyou\r\n47.237.165[.]56 Alibaba.com LLC\r\numerz[.]info\r\nwetanra[.]fit\r\n47.237.132[.]7 Alibaba.com LLC N/A\r\n47.236.56[.]63 Alibaba.com LLC N/A\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 10 of 14\n\nIP Address ASN Domain(s)/Hostnames\r\n47.237.23[.]24 Alibaba.com LLC\r\ngoldseek[.]cc\r\npnidh[.]fun\r\nmonitor-hospot.rinjanihost[.]com\r\n47.245.106[.]232 Alibaba.com LLC amazingcam[.]xyz\r\n47.245.112[.]50 Alibaba.com LLC feltwod[.]fun\r\n47.236.140[.]108 Alibaba.com LLC cirlate[.]work\r\n47.236.142[.]61 Alibaba.com LLC\r\ngraffity[.]fun\r\nshpum[.]work\r\npolar[.]info\r\n47.84.42[.]161 Alibaba.com LLC\r\npallet[.]top\r\nrok[.]quest\r\nbhc[.]beauty\r\nneatsu[.]ink\r\nmukit[.]fun\r\nfusionworks[.]me\r\n47.236.43[.]172 Alibaba.com LLC\r\nwrenoby[.]work\r\ntokyojihen[.]store\r\n47.236.43[.]141 Alibaba.com LLC rocketbox[.]cc\r\n47.236.86[.]187 Alibaba.com LLC N/A\r\n8.222.167[.]209\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nooouni[.]com\r\ngoodivew[.]store\r\n47.84.49[.]230 Alibaba.com LLC\r\npojys[.]vip\r\nartistchoice[.]fit\r\n47.236.52[.]163 Alibaba.com LLC gordid[.]work\r\n47.236.132[.]59 Alibaba.com LLC cetalpre[.]me\r\n8.222.164[.]8\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\ncolorfulmsg[.]store\r\n8.219.0[.]154\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nN/A\r\n47.241.220[.]222 Alibaba (US) Technology Co., Ltd. richus[.]top\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 11 of 14\n\nIP Address ASN Domain(s)/Hostnames\r\n8.222.232[.]224\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\ninspd[.]club\r\n8.219.145[.]123\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nmicap[.]top\r\n8.219.126[.]140\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\noneyipose[.]vip\r\nenchan[.]cloud\r\n47.236.31[.]185 Alibaba.com LLC\r\ntamf[.]top\r\nyoungerpiano[.]xyz\r\n8.222.204[.]79\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nnowaute[.]top\r\n47.236.185[.]226 Alibaba.com LLC\r\nngxs[.]work\r\npetiver[.]art\r\npranfun[.]cc\r\ndiycont[.]art\r\n8.222.176[.]193\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nintoxit[.]club\r\n8.222.227[.]247\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nedcious[.]shop\r\n8.219.132[.]122\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nmannada[.]cc\r\n8.219.116[.]53\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nrumblesc[.]fun\r\nteyvata[.]com\r\n47.236.241[.]158 Alibaba.com LLC\r\ndenlaje[.]art\r\nmer[.]college\r\n47.84.37[.]53 Alibaba.com LLC pugoy[.]vip\r\n47.236.136[.]254 Alibaba.com LLC\r\npanel[.]goepos[.]id\r\nwanis[.]cc\r\nmojifu3d[.]wiki\r\n47.236.13[.]64 Alibaba.com LLC photopal[.]art\r\n47.245.126[.]152 Alibaba.com LLC toniben[.]space\r\n47.236.42[.]182 Alibaba.com LLC ablefee[.]wiki\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 12 of 14\n\nIP Address ASN Domain(s)/Hostnames\r\n47.236.70[.]132 Alibaba.com LLC\r\nqidakan[.]com\r\ntmvp[.]xin\r\n47.245.123[.]233 Alibaba.com LLC\r\npassroad[.]beauty\r\ntimestampmark[.]me\r\n47.236.50[.]129 Alibaba.com LLC fartsounds[.]xyz\r\n8.219.208[.]157\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\ngumblerumble[.]art\r\nvocall[.]club\r\n8.222.237[.]93\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\njueo[.]quest\r\ntomomsg[.]xyz\r\n8.219.71[.]57\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nhelljni[.]com\r\neqim[.]club\r\n8.219.85[.]251\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nN/A\r\n8.222.161[.]7\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\npianomaster[.]store\r\n8.219.77[.]97\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\njkicker[.]art\r\n8.222.246[.]250\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\ncgan[.]info\r\n8.219.221[.]185\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\neasytexting[.]art\r\n8.222.203[.]59\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nscreenlocker[.]art\r\n47.236.184[.]154 Alibaba.com LLC\r\nrophatic[.]website\r\njevq[.]art\r\n47.236.48[.]202 Alibaba.com LLC timeschord[.]co\r\n47.237.106[.]43 Alibaba.com LLC lads[.]cc\r\n8.222.195[.]150\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nkuen[.]work\r\n47.237.14[.]161 Alibaba.com LLC\r\nkefu[.]esgxiehui[.]com\r\nvalenstickers[.]me\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 13 of 14\n\nIP Address ASN Domain(s)/Hostnames\r\n47.236.152[.]0 Alibaba.com LLC qigu[.]black\r\n47.237.14[.]179 Alibaba.com LLC ytky[.]tech\r\n47.84.44[.]76 Alibaba.com LLC N/A\r\n47.236.63[.]223 Alibaba.com LLC N/A\r\n47.237.68[.]12 Alibaba.com LLC senspom[.]info\r\n8.222.238[.]142\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nkdo[.]monster\r\n8.219.246[.]210\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nlikeand[.]cloud\r\n8.219.124[.]253\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nplusonepic[.]cloud\r\n8.219.230[.]140\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nsecuremsg[.]store\r\n8.219.92[.]109\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\ngbclm[.]info\r\n8.219.63[.]9\r\nAlibaba.com Singapore E-Commerce Private\r\nLimited\r\nynur[.]online\r\nappapi[.]cepatcairc[.]cc\r\nJoker Host Observables and Indicators of Compromise (IOCs)\r\nFilename SHA-256\r\ncom.hdphoto.wallpaper4k.apk 7f186746152d9569421a88e506c89844eaf0c2036ab5dbe0edb0775a79d9bb9d\r\ndex1_v16.txt 2766ce69097ccb0cd9b4a7f3cf6eac19d76db2acf7d1b6844cc10d5460528138\r\nencoded2.txt 4000d8110f92d5622a19a75d85c7af38fef810cecfe054e02779da9c1e218e5d\r\ncom.defabook.camera_1.5.apk a5aa7e18aa8e0473d37661830eaf9ccd0401ee4c44de426e53e39fe47fa06ed4\r\nDrinking Water_2.3.apk 2c0845ff2ef220b6fcdd57c30471ee854bcd886b5c7d78c468bef47436197f36\r\nSource: https://hunt.io/blog/uncovering-joker-c2-network\r\nhttps://hunt.io/blog/uncovering-joker-c2-network\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/uncovering-joker-c2-network"
	],
	"report_names": [
		"uncovering-joker-c2-network"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434565,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7648d998e7ef2b175e3a7d19bfb7ec14495a1097.pdf",
		"text": "https://archive.orkl.eu/7648d998e7ef2b175e3a7d19bfb7ec14495a1097.txt",
		"img": "https://archive.orkl.eu/7648d998e7ef2b175e3a7d19bfb7ec14495a1097.jpg"
	}
}