TECH ORDUS NOVUS ORDO CYBER INTELLIGENCE

APT41 Infrastructure Pivot: Tracking C2 via JA3 Fingerprints and ASN Patterns

By Tech Ordus Research April 22, 2026 threat-intel
Affiliate disclosure: When you buy through links on BestPocketTech we may earn a commission at no extra cost to you. As an Amazon Associate we earn from qualifying purchases. Our recommendations are based on independent research and editorial standards.

Background

APT41 (Winnti, Double Dragon) operates multi-purpose infrastructure serving both espionage and financially motivated operations. This analysis tracks a cluster active since late 2025.

Tracking Methodology

JA3 Fingerprinting

The group’s custom implant consistently produces JA3 hash a0e9f5d64349fb13191bc781f81f42e1 — a non-standard TLS client hello observable on network egress.

Certificate Patterns

Observed self-signed certificates share:

  • Serial length: 20 bytes, always starting with 00
  • Subject CN format: *.{random-6-char}.com
  • Validity: exactly 398 days (Apple/browser max)

ASN Clustering

Infrastructure consistently migrates through three ASNs before abandoning:

  1. AS9808 (China Mobile) — initial staging
  2. AS14061 (DigitalOcean) — operational relay
  3. AS20473 (Vultr) — fallback C2

YARA Rule

rule apt41_implant_tls_2026 {
  strings:
    $ja3 = "a0e9f5d64349fb13191bc781f81f42e1" ascii
    $cn  = /\*\.[a-z0-9]{6}\.com/ ascii
  condition:
    any of them
}