Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

Joker is a mobile malware family that has targeted Android devices since at least 2017. Masquerading as legitimate applications, it is frequently distributed through the Google Play Store, slipping past security controls before being removed. Once installed, it intercepts SMS messages, harvests contact lists and device information, and stealthily subscribes victims to premium services.

The malware's operators deploy their command-and-control (C2) infrastructure across cloud-hosted servers, frequently reusing SSL certificates to encrypt communications and obscure network traffic. Tracking these certificates and their associated IPs can expose connections between seemingly unrelated servers, offering defenders a method to uncover and monitor malicious infrastructure over time.

This post examines the role of SSL intelligence in tracking and identifying Joker-linked C2s, showing how certificate pivots can uncover additional infrastructure and provide insight into the malware's operational patterns.

It All Started With an APK

Our research began with an APK file uploaded to Hatching Triage, an online malware sandbox, named com.hdphoto.wallpaper4k.apk (SHA-256: 7f186746152d9569421a88e506c89844eaf0c2036ab5dbe0edb0775a79d9bb9d). A search for the file in VirusTotal showed that six out of 47 vendors flagged it as Joker malware.

The APK's name suggests the malware operators lure potential victims under the guise of a 4K wallpaper application. The app is not hosted on the Google Play Store as of this writing.

Network Communication and Additional Infrastructure

Upon execution, the malware initiates an HTTP POST request to http[:]//hdphoto[.]uno/conf/vcheck. This domain resolved to 47.236.49[.]195, and then moved to 47.237.68[.]53 in mid-February.

Both servers belong to the Alibaba Cloud network, hosted in Singapore, and have servers running nginx version 1.18.0 on ports 80 and 443. The below domains also resolve to the IPs:

• 47.236.49[.]195 → gasu[.]pw

• 47.237.68[.]53 → femk[.]top, tuatol[.]store

The IP ending in .195 will be our starting point for this post as hdphoto[.] initially resolved to that address.

The request to /conf/vcheck returns the following response:

https[:]//hdphotouno.oss-me-east-1[.]aliyuncs[.]com/dex1_v16.txt

A VirusTotal search of the resolving IP, 47.91.99[.]31, hosted on the Alibaba network, reveals multiple APK files communicating with the server, many of which are detected as malicious.

Testing different HTTP requests to check for unique responses is essential when tracking adversary infrastructure. The malware sends a POST request, so we'll send a GET request in a lab environment to assess any changes.

The server responds with a Django REST framework webpage, suggesting the server is configured to handle API-based communications for managing malware-related requests. Django is an open-source web framework written in Python, and the REST framework is an extension specifically for building Web APIs.

dex1_v16.txt (SHA-256: 2766ce69097ccb0cd9b4a7f3cf6eac19d76db2acf7d1b6844cc10d5460528138) contains base64-encoded text, which we can easily decode with CyberChef. The result is an executable DEX file containing the Joker payload. The filename suggests versioning, with 'v16' likely indicating an iteration of the trojan. Of note, the malware authors made no effort to obfuscate the document's name to conceal its purpose.

Next, a request to the same domain is made for another text file, encoded2.txt (SHA-256: 4000d8110f92d5622a19a75d85c7af38fef810cecfe054e02779da9c1e218e5d). This file follows a similar path as the previously described and is likely the second stage of the attack.

Finally, the malware makes repeated POST requests to https[:]//hdphoto[.]uno/1VybiUSr. Once again, sending a different HTTP request results in a different API page titled 'Aes Api.'

Tracking Joker's Infrastructure via Hunt SSL History

SSL certificate analysis is a powerful tool for uncovering malicious infrastructure, tracking adversary movement, and identifying attack staging before operations go live. Building on previous research into SSL intelligence, we applied the same methodology to analyze 47.236.49[.]195 using the SSL History tab in Hunt.

SSL Certificate Observations

According to our scan data, this IP only began using SSL certificates in early February 2025. Both certificates were issued through Let's Encrypt, a free certificate authority that automates issuance and renewal. While widely used for legitimate services, Let's Encrypt is frequently leveraged by threat actors due to its ease of acquisition and lack of strict identity validation.

Additionally, both certificates use uncommon top-level domains (TLDs) in the subject common name, similar to the .fit, .top, and .store domains observed in the previous section. While TLDs alone aren't necessarily a strong indicator of malicious activity, the reuse of infrastructure across different certificates indicates the operators are maintaining control over their servers rather than fully abandoning them.

Rotation of certificates is a common threat actor tactic used to refresh encryption keys, evade detections on specific certificate fingerprints, or extend the lifespan of malicious infrastructure.

By pivoting on Certificate IPs, we can quickly uncover additional servers that have used these certificates---whether actively in use or historically linked. This approach helps reconstruct attack timelines and track infrastructure reuse, which is particularly relevant in long-running malware operations.

Infrastructure Shifts Between Certificates

The older certificate, SHA-256: 95F845F390269A3805657C9F544719C937FD458966818FADCBAD7D4CC05B69FF, issued for airsound[.]fit was observed from February 1 to February 4, 2025, and is associated with 71 IPs, all hosted within Alibaba Cloud infrastructure.

The more recent certificate, SHA-256: 5848152508ACC864869500C0DFFF20723A087019EB717131DC6D7DF51FBD75E6, issued for ablefee[.]wiki, was observed for a single day on February 21, 2025. Despite this short-lived presence, it appeared on 77 IPs, which completely overlapped with the older certificate but included a handful of additional servers.

Infrastructure Analysis

The 77 IPs associated with the ablefee[.]wiki certificate are spread across two autonomous systems (ASNs):

• Alibaba.com LLC

• Alibaba.com Singapore E-Commerce Private Limited

The majority of these servers are hosted in Singapore, with a smaller subset located in the United States. All use the standard port associated with TLS-encrypted communications, 443.

The domains linked to this infrastructure continue to follow the pattern of uncommon TLDs, which the threat actor(s) seem to rely heavily on. Some domains suggest potential themes designed to lure victims, such as:

• securemsg[.]store

• screenlocker[.]art

• timestampmark[.]me

These domains were registered through one of two providers:

• NameSilo

• Alibaba Cloud Computing Ltd. d/b/a HiChina (www[.]net[.]cn)

Active Servers and Observed Payloads

Many IPs and their associated domains have been flagged as malicious in VirusTotal, with several APKs identified as Joker malware. Given the ongoing activity, we focused on two servers whose certificates were still observed in Hunt's scans as of February 26, 2025.

Server 1: 8.222.246[.]250

• Resolves to: cgan[.]info

• Likely Target: Camera app users

• APK Info:

  • Filename: com.defabook.camera_1.5.apk

  • SHA-256: a5aa7e18aa8e0473d37661830eaf9ccd0401ee4c44de426e53e39fe47fa06ed4

Server 2: 8.222.195[.]150

• Resolves to: kuen[.]work

• Likely Target: Users tracking water consumption

• APK Info:

  • Filename: Drinking Water_2.3.apk

  • SHA-256: 2c0845ff2ef220b6fcdd57c30471ee854bcd886b5c7d78c468bef47436197f36

Conclusion

Joker malware remains an active threat, relying on a few SSL certificates shared across multiple IP addresses to maintain its infrastructure. Our analysis led to 77 Joker-linked servers across the Alibaba network, highlighting the operator's preference for certificate reuse. This approach could suggest automation is used to streamline server setup, reducing the effort usually required to manage certificates across an extensive C2 network.

Certificate tracking is crucial for identifying adversary activity, offering defenders a way to uncover infrastructure connections that might otherwise go unnoticed. When combined, using Let's Encrypt certificates, Alibaba-hosted IPs, and unique TLDs creates a strong foundation for hunting this campaign, enabling proactive detection of related activity.

In addition to only downloading apps from official stores, users can reduce their risk of infection by reviewing app permissions, checking for inflated reviews, and conducting searches of web presence for apps with large download counts.

Joker Network Observables and Indicators of Compromise (IOCs)

Joker Host Observables and Indicators of Compromise (IOCs)