A Rare Look Inside a Hacker’s Toolbox Reveals a Stealthy Chinese Proxy Service
A few days ago, the website DDoSecrets published a data dump allegedly originating from the workstation of an operator involved in a campaign against organizations in South Korea and Taiwan. The author of the release attributed the activity to the North Korean group Kimsuky, though this claim has not been independently verified and remains a matter for professional intelligence analysts to determine. Spur, a company specializing in intelligence on anonymizing infrastructure, received a client tip regarding an IP address and dissected what lay behind the proxy nodes featured in the leak.
The investigation began with a peculiar pairing of address and cryptographic details found in the documents: IP 156.59.13[.]153, responding on the non-standard port 4012, presented a certificate with the Common Name *.appletls[.]com (SHA-1: a26c0e8b1491eda727fd88b629ce886666387ef5). A fingerprint search revealed more than a thousand other IP addresses using the same certificate, many of them listening on ports in the “40xx” range. While the majority were hosted in China, dozens were scattered across data centers in other countries. The pattern suggested an organized network — the question remained: a commercial service, or a custom-built proxy farm run by the operators themselves?
Technical clues quickly pointed toward the Trojan protocol, a popular method of bypassing the Great Firewall of China by masquerading as ordinary HTTPS traffic. Configuration files indicated its use. Nodes tagged with ganode[.]org presented the same *.appletls[.]com certificate found in the leak. Spur also identified the same signature on nodes belonging to WgetCloud (formerly GaCloud), linking the activity directly to that provider.
WgetCloud is a paid proxy/VPN service. Its interface and documentation are in Chinese, and its subscription model offers three tiers, with the highest granting access to 29 exit locations, including China, Singapore, the United States, Germany, Australia, and Russia. Payments are accepted through WeChat, Alipay, and TRC20, with monthly subscriptions priced between $8 and $12. Upon purchase, customers receive a “subscription URL” — a base64-encoded file containing a list of nodes that can be imported into any Trojan-compatible client.
Field verification tied the findings together. Testing select IP:port pairs with OpenSSL confirmed the presence of the *.appletls[.]com certificate. When operating, the exit nodes presented the same “golden” certificate. Spur ultimately connected the Singaporean IP address cited in the leak to a WgetCloud node. Whether the threat actor legitimately purchased a subscription or gained unauthorized access to the node remains unclear, but the core conclusion is evident: commercial Trojan infrastructure can seamlessly blend into APT traffic, complicating attribution.
The picture is striking. A single certificate, a narrow port range, and a handful of GitHub strings were enough to trace the path from an “anonymous” IP to a specific Chinese Trojan proxy provider. Still, the claim of Kimsuky’s involvement remains speculative, resting solely on the original publication; confirming or disproving it is a task for the wider intelligence community. What is already clear, however, is that commercial proxy platforms are increasingly serving as convenient havens for espionage campaigns, shifting the challenge of defense and attribution away from “hard” IOCs and toward painstaking correlation of subtle network details.
