Chinese APT Hackers Using Proxy and VPN Service to Anonymize Infrastructure

In recent months, cybersecurity researchers have observed a surge in targeted campaigns by a sophisticated Chinese APT group leveraging commercial proxy and VPN services to mask their attack infrastructure.

The emergence of this tactic coincides with a broader shift toward commoditized anonymization platforms that blend threat actor traffic with legitimate user activity.

Initial compromise vectors have included spear-phishing emails containing malicious Office documents and waterhole attacks that redirect unsuspecting victims to payload-hosting domains.

Once a foothold is established, the threat actor deploys a lightweight Trojan proxy agent designed to imitate standard HTTPS traffic.

This agent uses the Trojan protocol to bypass network filtering and the Great Firewall of China, encapsulating command-and-control communications within seemingly innocuous TLS packets.

SPUR analysts noted the frequent use of a wildcard SSL certificate (*.appletls[.]com, SHA1: a26c0e8b1491eda727fd88b629ce886666387ef5) on non-standard ports within the 4000–4099 range, enabling rapid attribution of over 1,000 malicious IP addresses scattered across multiple global data centers.

The impact of these campaigns has been significant. High-value targets in South Korea and Taiwan reported persistent intrusions spanning weeks, during which exfiltration of proprietary documents and intellectual property occurred undetected.

SPUR researchers identified that victim networks lacked adequate TLS inspection, allowing the Trojan proxy’s traffic to slip past conventional intrusion detection systems.

Post-compromise lateral movement often leveraged Sysinternals PsExec and custom PowerShell scripts to automate credential harvesting and facilitate remote execution.

In one illustrative case, a finance company in Taipei experienced a stealthy breach that persisted for 45 days.

Adversaries systematically mapped the corporate network before initiating exfiltration via a chain of proxy hops through WgetCloud, a commercial VPN provider headquartered in Shenzhen.

By funneling stolen data through over a dozen VPN exit nodes, the attackers effectively obfuscated their origin and hampered forensic investigations.

Infection Mechanism: Trojan Proxy Deployment

The initial payload arrives as a Microsoft Word document exploiting CVE-2025-1234, a zero-day RCE vulnerability in the Equation Editor. Upon document open, a macro drops trojan.exe into %APPDATA%MicrosoftWindows and registers a scheduled task named “WinDefenderUpdate” for persistence.

The executable is a statically linked Go binary embedding the Trojan protocol client library.

# Dropping Trojan proxy binary
$payload = [IO.File]::ReadAllBytes("$env:TEMPmacro.bin")
[IO.File]::WriteAllBytes("$env:APPDATAMicrosoftWindowstrojan.exe", $payload)

# Registering persistence
schtasks /Create /SC MINUTE /MO 15 /TN "WinDefenderUpdate" /TR "`"$env:APPDATAMicrosoftWindowstrojan.exe`" --config config.json"

Upon execution, trojan.exe reads config.json, which contains a Base64-encoded subscription URL from WgetCloud.

The proxy agent negotiates a TLS handshake using SNI “mf429xciejryees2cusm.appletls.com” and routes C2 traffic through the VPN provider’s exit nodes.

By embedding its communications within legitimate proxy VPN tunnels, the malware achieves robust detection evasion and complicates attribution efforts.

Continuous monitoring for anomalous scheduled tasks and unusual TLS certificates remains critical to uncovering these advanced intrusions.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.