By rssfeeds-admin While attribution remains debated, some researchers point to the North Korean group Kimsuky, the leaked material provided a rare glimpse into the anonymization infrastructure underpinning state-sponsored campaigns.
One particular lead, an IP address (156.59.13[.]153) tied to an SSL certificate (*.appletls[.]com), revealed how adversaries camouflage their command-and-control (C2) and operational flows.
Unmasking Trojan-Based Proxy Networks
The certificate fingerprint, present across over 1,000 global IPs predominantly in Chinese datacenters, hinted at an organized anonymization scheme.
Further open-source intelligence traced the operation to Trojan, a proxy protocol engineered to mimic HTTPS traffic and bypass China’s Great Firewall (GFW).
Trojan nodes follow a structured URL pattern:
texttrojan://<password>@<server>:<port>?<params>#<tag>
These nodes often employ domain fronting and Server Name Indication (SNI) tricks to disguise traffic, with configurations like ganode[.]org redirecting to SSL certificates that validate against appletls[.]com.
Such tactics enable traffic redirection through multiple choke points, frustrating traditional attribution attempts.
The OSSINT trail soon uncovered references to GaCloud and its successor, WgetCloud, a commercial VPN/proxy provider marketed mainly in Mandarin.
This service offers multi-jurisdiction nodes spanning China, Singapore, the U.S., Germany, and Australia, an ideal infrastructure for both everyday censorship circumvention and high-level cyber operations.
From Commercial VPN to APT Proxy Infrastructure
Analysis of the leak revealed that WgetCloud nodes not only shared the suspicious SSL certificate but also provided adversaries with flexible IP address rotation for entry and exit.
Subscriptions, priced at $8–$12 via WeChat, AliPay, or TRC20, allow access through apps like Txray (Xray-core based) with base64-delivered node lists. When tested, these nodes consistently returned certificates matching those tied to the threat actor’s infrastructure.
This overlap underscores a critical challenge: attacker infrastructure is increasingly indistinguishable from legitimate anonymization networks. By renting or hijacking commercial services, APT operators blend seamlessly with benign traffic, complicating detection and attribution.
Proxy Attribution: A Growing Security Blind Spot
Threat intelligence provider Spur has since labeled over 1,700 WgetCloud nodes in its datasets, flagging them as anonymizing infrastructure. This classification feeds into SIEM, SOAR, and fraud-detection systems, enriching logs with critical VPN/proxy context.
The case highlights a broader industry concern: the convergence of APT operational security (OPSEC) with everyday circumvention tools. By leveraging commercial proxy services, adversaries achieve global reach, plausible deniability, and resilient C2 pathways.
For defenders, timely enrichment of IP data and contextual awareness of anonymizing services remains key to piercing adversary obfuscation and preventing misattribution.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Stealth Tactics – Chinese APT Groups Leverage Proxies and VPNs to Conceal Operations appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.