Chinese APT Hackers Utilize Proxy and VPN Services to Conceal Their Infrastructure

In recent months, cybersecurity researchers have identified a notable increase in targeted campaigns orchestrated by a sophisticated Chinese Advanced Persistent Threat (APT) group. This group has been utilising commercial proxy and VPN services to obscure their attack infrastructure, coinciding with a broader trend towards commoditised anonymisation platforms that merge threat actor traffic with legitimate user activity. Initial compromise methods have included spear-phishing emails containing malicious Office documents and waterhole attacks that redirect unsuspecting victims to payload-hosting domains. Once a foothold is established, the threat actor deploys a lightweight Trojan proxy agent designed to mimic standard HTTPS traffic. This agent employs the Trojan protocol to circumvent network filtering and the Great Firewall of China, encapsulating command-and-control communications within seemingly innocuous TLS packets.

The impact of these campaigns has been significant, particularly against high-value targets in South Korea and Taiwan, which have reported persistent intrusions lasting weeks. During these intrusions, the exfiltration of proprietary documents and intellectual property occurred undetected. SPUR researchers noted that victim networks often lacked adequate TLS inspection, allowing the Trojan proxy’s traffic to bypass conventional intrusion detection systems. Post-compromise lateral movement frequently utilised Sysinternals PsExec and custom PowerShell scripts to automate credential harvesting and facilitate remote execution. In one case, a finance company in Taipei experienced a stealthy breach that lasted 45 days, during which adversaries systematically mapped the corporate network before initiating data exfiltration through a series of proxy hops via WgetCloud, a commercial VPN provider based in Shenzhen. By routing stolen data through multiple VPN exit nodes, the attackers effectively obscured their origin and complicated forensic investigations. 

Categories: Cybersecurity Threats, Attack Vectors, Data Exfiltration Techniques 

Tags: Cybersecurity, APT Group, Proxy Services, VPN, Spear-Phishing, Trojan, TLS, Exfiltration, RCE Vulnerability, Persistence