Summary A critical security incident exposed KeyPlug malware infrastructure due to the improper use of wolfSSL test certificates in production. The 24-hour exposure revealed sophisticated attack tools linked to the RedGolf/APT41 threat group, demonstrating how poor certificate management can compromise even advanced threat actors’ operations. The Certificate Failure The compromised server was identified through its WolfSSL test certificate:

Subject Common Name: www[.]wolfssl[.]com
Subject Organizational Unit: Support_1024
Issuer Organizational Unit: Consulting_1024
SHA-256: 4C1BAA3ABB774B4C649C87417ACAA4396EBA40E5028B43FADE4C685A405CC3BF

Critical Issues

Test Certificate Misuse

Production use of wolfssl.com test domain
Weak 1024-bit keys (indicated by "_1024" suffix)
Certificate sharing across multiple attack servers

Security Impact

Exposed Fortinet exploitation tools and C2 infrastructure
Enabled infrastructure correlation through shared certificates
Compromised operational security of advanced threat actors

Best Practices for WolfSSL Implementation To avoid security lapses like the one described, it’s critical to follow best practices when deploying wolfSSL in production environments. The following guidelines focus on certificate requirements, security controls, and monitoring techniques: Production Deployments

Certificate Requirements

Use only trusted CA-issued certificates
Implement minimum 2048-bit RSA keys
Maintain proper validation chains

Security Controls

Never use test certificates in production
Implement certificate pinning
Regular certificate rotation

Monitoring and Detection

Certificate Auditing

Regular infrastructure scans
Certificate inventory management
Automated validation checks

Warning Signs

Domains containing "wolfssl.com"
Organizational units with test indicators
Key sizes below 2048 bits
Invalid trust chains

Recommendations To mitigate risk and ensure strong certificate hygiene, both WolfSSL users and security teams should take immediate action. Below are tailored recommendations for each group: Immediate Actions

For WolfSSL Users

Audit all certificates
Remove test certificates
Implement CA-issued certificates
Verify proper key lengths

For Security Teams

Monitor for test certificate usage
Implement certificate validation
Regular infrastructure scanning
Maintain certificate inventory

Conclusion Organizations must maintain strict separation between development and production certificates and implement proper certificate management policies to prevent similar exposures. Please do not use wolfSSL test certificates in production because the corresponding private keys are published as part of the wolfSSL source code package, so by design, these certificates are insecure. The test certificate private keys are public! Source:

KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, and Recon Activity Targeting a Major Japanese Company Exposed KeyPlug Malware Staging Server Contains Fortinet Firewall and VPN Exploitation Scripts

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247. Download wolfSSL Now