After checking https://crt.sh/ certificate transparency database, rogue certificates have been discovered which were not issued by any of jabber.ru servers.
The maliciously-issued certificates are slightly different from the regular ones for these domains: either the wildcard Subject Alternative Name is missing or a single certificate is issued for both jabber.ru, xmpp.ru. Moreover, MiTM configuration on xmpp.ru domain (which points to Linode servers) was slightly misconfigured: it serves only xmpp.ru certificate, yet the original server is configured to serve both jabber.ru and xmpp.ru certificates depending on requested XMPP domain.
List of rogue certificates:
Serial Used in MiTM 03:f3:68:ee:36:30:80:6a:07:81:17:81:04:0c:e3:d9:10:b1 + 04:9c:2d:af:cc:61:88:d6:67:9f:8b:97:99:ce:ad:c9:b7:e0 + 03:43:75:1f:3d:80:20:7d:11:f5:61:98:5b:87:a7:37:81:c6 ? 04:4c:1c:8a:f4:37:a0:5a:dd:83:9c:54:74:89:bd:b9:97:90 + 04:d1:d2:5d:09:95:48:9b:d6:14:cc:81:91:df:ac:7f:ec:c6 ? 04:b7:85:83:9a:fd:df:81:26:48:5b:34:28:08:53:d9:e6:79 +
18 July 2023 issuing time is about the same when Hetzner server has lost network link for several seconds.
We have a confirmation from the external network scanner that Linode servers started to serve 04:b7:85… certificate on port 5222 since at least 21 July 2023. Unfortunately, this scanner doesn’t process Hetzner ranges.