JA4 Fingerprinting: Transforming Black Boxes into Beacons for Modern Threat Hunting

Tracking down threat actors gets significantly harder when you don't fully grasp how detection signals work, especially with today's encrypted traffic muddying the waters. Add to the mix the widespread implementation of encryption algorithms by adversarial platforms, and the security landscape pivots dramatically in favor of threat actors. While we agree that encryption renders data and traffic unreadable writ large, specific behavioral patterns remain exposed in the form of observable metadata.

In 2017, when JA3 emerged as a method for generating SSL/TLS client and server fingerprints using a given set of packet fields, a new slew of detection capabilities and threat identification strategies suddenly became available. Others, however, rushed to criticize the new catalyst as too brittle and easily bypassed, citing limitations such as the potential for hash collisions and spoofing due to the lack of protocol context, among similar nuances.

That's where JA4 comes in. Built to meet the shifting demands of everyday threat hunters, JA4 (or the JA4+ suite) brings a more modular and interpretable practice that redefines the application and network fingerprinting domains to include multiple protocols and extended use cases. In our 2023 interview titled "JA4: Decoding Cyber Shadows", John Althouse shared with us the motivation behind JA4's architecture and some lessons learned from past JA3 experiences, leading the way to the newest approach.

With these foundational goals in mind, JA4 marks a shift toward more transparent and adaptable network visibility, designed to recognize behavioral patterns across encrypted protocols with far greater clarity. Read on as we elaborate on how JA4 improves encrypted traffic fingerprinting for modern threat hunting.

JA3 vs. JA4: Key Differences

The replacement to the JA3 lineage, consisting of new human and machine-readable fingerprinting capabilities (like JA4, JA4H, JA4S-see below for a complete list), comes with a new locality-preserving structure that makes JA4+ fingerprints both easy to parse and suitable for custom analysis. Such unique formatting style enables hunters to isolate and/or investigate specific behaviors in semi-observable, encrypted traffic.

JA4+ TLC client fingerprints use a structured a_b_c format, with each letter-a, b, and c-representing a different segment of protocol-related information. By organizing the fingerprint this way, JA4+ gives threat hunters and defenders the flexibility to:

• Zoom in on specific parts of a fingerprint (like just the HTTP cookies),

• Filter or group traffic based on partial matches, and

• Extend the schema easily without breaking existing tools.

For example, JA4H_c focuses specifically on the cookie string from HTTP traffic. Meanwhile, you could analyze just ab (combined first two parts) to identify client activity without needing the third segment.

In all, a quick comparison between JA3 vs. JA4 reveals the following:

At a glance, a difference in focus primarily distinguishes JA3 and JA4. In essence, this represents a mini paradigm shift that far exceeds the limitations imposed by TLS fingerprinting to encompass broader network traffic analysis. JA4 also sorts cipher suites and extensions before processing, making it resistant to randomization efforts.

Although JA3 was a pioneering mechanism for TLS fingerprinting, the demands imposed by the ever-changing modern protocols and threats have rapidly made JA4 the preferred choice for current security applications.

Human-Readable & Modular: A Fingerprint You Can Understand

As noted, one of JA4's most noteworthy improvements over JA3 is its evolution from opaque hashes to better-structured, human-readable strings. Using the new a_b_c convention, JA4+ renders JA3's reliance on MD5 hashes obsolete in favor of immediate interpretability.

For instance, analysts can look at a JA4 fingerprint and rapidly infer client characteristics, like the order of cipher suites, specific TLS extensions, or the content of an HTTP request (JA4H for HTTP), without having to reverse engineer a hash. This modularity also means defenders don't have to rely on a full fingerprint to hunt-they can search by segments, such as all traffic with unusual cookie formats (_ _c) or non-browser user-agent strings (b), to mention a few criteria.

Anatomy of a JA4+ fingerprint (Source: https://bit.ly/4iIniXn)

JA4+ takes what used to be a black box and turns it into something that threat hunters can work with-clear, flexible, and easier to share across teams. This semantically meaningful way of breaking down fingerprints allows further investigation of behavioral traits in network traffic. Need to catch all TLS clients that leverage a specific suite pattern? Use JA4_a. Want to match all clients using a particular HTTP header order, regardless of cookies? Focus on JA4H_b.

Finally, human-readable fingerprints are also easier to examine across teams. For example, instead of saying "match MD5 hash ab3e1f...", you can just say "match clients using cipher suite set X and cookie structure Y." Expect the same level of practicality when dealing with detection rules, dashboards, threat-hunting queries, or SIEM enrichments.

Improved Resistance to Evasion: Harder to Spoof, Smarter to Detect

JA4+ offers improved resilience against evasive techniques, such as the randomization of TLS extensions, also called TLS ClientHello extension permutations. Since JA3 relied on consistent patterns in the order and values of TLS extensions to create unique fingerprints for identifying clients, the introduction of randomization (i.e., by modern browsers) disrupts these patterns, thus weakening JA3's functionality.

The JA4 core implementation also incorporates additional context-like Application Layer Protocol Negotiation (ALPN)-to enhance fingerprint accuracy and provide a better view of client activity. More precisely, by including ALPN, JA4 gains insight into the client's intended application behavior, which can help distinguish between different types of clients. In particular:

• A web browser might typically advertise "h2" or "h1" (HTTP/1.1), reflecting its purpose of web communication.

• An IoT device might also use "h2," but the absence of ALPN ("00") could suggest a non-browser client, such as a custom application or malware using a minimal TLS stack.

Companies that monitor internet-wide scanning for threat intelligence purposes can now integrate the JA4+ suite into their platform to improve tracking. The ability of certain (observed) actors to change TLS ciphers causes JA3 to generate a different fingerprint for nearly every request, making it challenging to correlate the activity. With JA4+, however, only the b segment of the fingerprint (which includes the cipher suite) changes. The a and c segments remain consistent. Therefore, threat intelligence providers can focus on the JA4_ac fingerprint, ignoring the noisy part while still identifying the actor.

Behavioral Clues: Turning JA4 Signals into Huntable Leads

Aligning threat hunting with JA4 makes sense if one is to forgo static indicators in favor of proper behavioral analysis. Because the fingerprints are modular and protocol-aware, analysts can readily define what "normal" looks like within their environment, be it a standard set of TLS handshakes from corporate-allowed browsers or typical HTTP header sequences from known SaaS applications.

Steering the conversation further into the TTP (Tactics, Techniques, and Procedures) hunting discipline, consider a scenario where an analyst is monitoring outbound traffic from a set of internal systems. Suddenly, one system is observed making outbound TLS connections with a JA4 fingerprint that deviates in segment b (e.g., an unusual cipher suite or extension order), while segments a and c remain consistent with known Chrome clients. This kind of partial mismatch suggests an attempt to mimic a legitimate browser, possibly using a custom tool or repurposed library. Because the analyst can isolate and pivot on just the b segment, they can quickly surface similar connections across the environment-potentially revealing a pattern of C2 beaconing hidden in what would otherwise appear to be encrypted, browser-like traffic.

In a word, JA4 doesn't just catch anomalies-it turns them into high-fidelity leads.

How JA4 Sheds Light on Adversary Infrastructure: The Rakshasa Case

As JA4 establishes its role in real-world, threat-hunting scenarios, it becomes especially effective for profiling encrypted tooling designed to obfuscate operator activity and infrastructure.

Rakshasa is an open-source, Go-based, multi-hop proxy tool for internal network tunneling and proxy chaining. It supports integration with upstream proxies, enabling operators to automatically rotate IP addresses-a valuable feature for maintaining a network of multi-hop servers.

This tool has been associated with activity from both Earth Baku and REF0657. Because Rakshasa encrypts communications using TLS and leverages its built-in certificates, it presents an ideal use case for applying JA4 fingerprinting to identify related infrastructure.

Case in point: when analyzing a known Rakshasa proxy server in Hunt.io, we observed distinct certificate attributes that can serve as pivots. In particular, two fields from both the subject and issuer stood out:

• Common Name: chinamobile[.]com

• Organization: Company, INC.

With the organizational unit (OU) field left blank and the issuer details mirroring the subject, it's unlikely this server is genuinely affiliated with China Mobile. We can use these indicators (along with the JA4 hash) as a foundation to start hunting.

On the same page, we note the associated JA4X fingerprint: zf24da86fad6_4f24da86fad6_bb943afcc34f

To locate servers with identical JA4X behavior and certificate characteristics, we'll construct the following Hunt SQL query:

SELECT ip, port
FROM certificates
WHERE ja4x.full == '4f24da86fad6_4f24da86fad6_bb943afcc34f'
AND subject.common_name == 'chinamobile[.]com'
AND subject.organization == 'Company, INC.'

Running the query reveals six servers sharing the same JA4X fingerprint-two expose the Rakshasa-linked certificate across multiple ports, likely indicating different listener configurations or chained proxy nodes used as a fallback mechanism.

While Rakshasa is not inherently malicious, its use alongside known threat operations makes it a valuable lead-in to uncovering malicious infrastructure. JA4-based hunting enables analysts to proactively identify additional servers in the wild without relying on the reporting of any static IOCs.

Why JA4 Matters: Smarter Fingerprinting for Modern Defenders

Encrypted traffic is here to stay, at least for the foreseeable future, and miscreants will continue to take advantage of it to remain hidden for as long as possible. In support of the strengths above, JA4 brings measurable value to day-to-day security operations by enabling more meaningful correlations while shedding light on behavioral inconsistencies that static detection or single-request fingerprinting misses.

From experience, we know that having such inter-request detection capabilities enhances our chances of spotting patterns that would otherwise go unnoticed, like tool reuse across malicious campaigns, subtle changes in adversary infrastructure, or behavioral shifts that precede active exploitation. Manifestly, a deviation in a specific segment of a previously observed JA4+ fingerprint can signal a potential change in attack vectors or objectives.

As more and more companies and vendors welcome this sort of enhanced visibility, ask yourself whether it is prudent to remain reactive in the face of evolving adversary tradecraft. When behaviors speak louder than payloads and the surface area for evasion keeps expanding, tools like JA4 offer a rare opportunity: to see the unseen, connect the subtle, and hunt with intention. Better visibility is already possible; it depends on whether we're ready to use it.

Ready to take your threat hunting game to the next level? Discover how turning encrypted signals into actionable insights can make all the difference. Check out our JA4 Fingerprinting live, book a demo today!