A significant data dump surfaced on DDoSecrets.com, purportedly extracted from a workstation belonging to a threat actor targeting organizations in South Korea and Taiwan.
The leak, detailed in an accompanying article, attributes the activity to the North Korean advanced persistent threat (APT) group known as Kimsuky, a sophisticated actor previously highlighted in cybersecurity advisories for its espionage campaigns.
While attribution remains unverified and is best left to specialized threat intelligence firms, the dump provides valuable insights into the operational tactics employed, particularly the use of anonymizing infrastructure to evade detection.
Spur, a firm specializing in identifying proxy and VPN services, was alerted to a key IP address 156.59.13[.]153 mentioned in the leak.
This IP was associated with an SSL certificate featuring the common name *.appletls[.]com, served on the non-standard port 4012, with a SHA1 hash of a26c0e8b1491eda727fd88b629ce886666387ef5.
Pivoting from this fingerprint revealed over 1,000 similar IP addresses exhibiting the same certificate, predominantly located in China but scattered across global datacenter providers, often listening on ports in the 40xx range.
This pattern suggested a structured, potentially commercial proxy network rather than ad-hoc infrastructure, prompting a deeper investigation into its origins and implications for APT campaigns.
Technical Analysis
Further analysis indicated that the infrastructure aligns with the Trojan proxy protocol, an obfuscation technique designed to mimic HTTPS traffic and bypass the Great Firewall of China (GFW).
Open-source intelligence (OSINT) efforts, including GitHub searches, uncovered configuration strings referencing domains like ganode[.]org, which matched Trojan URL formats: trojan://
These strings included parameters such as SNI overrides (e.g., sni=hostname) for domain fronting and allowInsecure flags to bypass TLS verification, enabling secure connections to frontend domains while validating against appletls[.]com certificates.
Pivoting on ganode[.]org led to references of GaCloud, subsequently rebranded as WgetCloud, a Chinese VPN service provider offering tiered subscriptions for stable, GFW-evading proxies.
Verification involved creating an account on WgetCloud, navigating its Chinese-language interface, and purchasing a subscription ranging from $8 to $12 USD for 30 days via WeChat, Alipay, or TRC20 cryptocurrency.
This granted access to a base64-encoded subscription URL containing node configurations, compatible with Trojan clients like Txray (built on Xray core).
Inspecting these nodes with tools like openssl confirmed the presence of the identical SSL certificate on both entry and exit IPs, directly linking the leaked IP to WgetCloud’s infrastructure.
The service boasts around 1,700 nodes across countries including China, Singapore, the US, Germany, Australia, and Russia, highlighting its appeal for actors seeking geographic diversity in attack chains.
Implications for Threat Intelligence
This case exemplifies how APT groups, potentially including state-sponsored actors like Kimsuky, integrate commercial proxy services into their operations to blend malicious traffic with legitimate anonymization tools, complicating attribution and detection.
Whether the threat actor subscribed directly or obtained nodes through secondary means remains unclear, but it underscores the risks of such services in cyber espionage.
Spur has since classified all identified WgetCloud nodes as WGETCLOUD_PROXY within its products, including the Monocle platform, Context API, and data feeds, enabling customers to flag and mitigate traffic from these sources.
This enhances threat intelligence on Chinese-origin proxies, often exploited in campaigns involving vulnerability exploitation, ransomware, and industrial control system targeting.
As proxy protocols like Trojan evolve, defenders must prioritize IP attribution techniques, combining technical fingerprinting (e.g., certificate hashing and port scanning) with OSINT to unmask obfuscated infrastructure, ultimately strengthening defenses against persistent threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
