Identifying Laplas Infrastructure Using Shodan and Censys

Quick identification of Laplas infrastructure by utilising Shodan and Censys.

Various queries for locating potential Laplas Infrastructure. Based on an IP found in a Laplas sample from Malware Bazaar.

The full list can be found at the end of post.

Link to Sample

SHA256: 825b0080782dee075f8aac11c3a682f86c5d3aa5462bd16be0ed511a181dd7ba

Links to relevant existing research by OALABS and Chris Duggan. Chris in particular has some work that is very similar to this.

Searching this ip in shodan reveals a server that redirects to https://laplas[.].app

Searching reveals 27 servers. Each server appears to be a redirector to the main Laplas site.

Searching in Censys reveals 22 servers. Two of which were not in the original Shodan list.

One result 31.42.176[.]127 contains a reference to This result appears to be the primary server.

Searching for the common name of does not reveal additional infrastructure. Only the initial result of 31.42.176[.]127 was found.

Of the 22 results with Censys, No other common names were available that could be used for pivoting.

Only one Jarm hash was available. This was a common Jarm fingerprint with around 205K results and hence was not useful for pivoting.


Complete List of Potential Laplas Stealer Infrastructure

Complete list of IP's based on searches for in both Shodan and Censys.