Uncovering Joker’s C2 Network: How Hunt’s SSL History Exposed Its Infrastructure

This report analyzes an active Joker Android malware campaign: investigators examined an APK sample (com.hdphoto.wallpaper4k.apk) and decoded staged payloads, documented POST-based C2 communications to hdphoto.uno, and used Hunt SSL-history pivots to map certificate reuse across 77 Alibaba-hosted IPs and numerous malicious domains. The write-up includes SSL certificate fingerprints, server IPs, domain lists, and file SHA-256 hashes as IOCs to aid detection and hunting.