Spur Links North Korean APT Infrastructure to Commercial Proxy Service WgetCloud
Ddos 
Last week, the leak site DDoSecrets.com published a data dump allegedly from a workstation of a threat actor targeting organizations in South Korea and Taiwan. The leak, attributed by its author to the North Korean APT group Kimsuky, provided investigators with a rare opportunity to trace the anonymizing infrastructure behind ongoing cyber operations.
While Spur notes that attribution remains uncertain, the company highlights its role in tracing infrastructure. As the researchers explained: “Spur specializes in identifying and labeling anonymizing infrastructure, so when a customer tipped us off to the IP address this threat actor was using, we set off in identifying the actual VPN or Proxy service used.”
The leaked dataset revealed an IP address (156.59.13[.]153) and an SSL certificate fingerprint tied to *.appletls[.]com. Spur confirmed that “there are indeed over 1,000 other IP addresses with that same certificate present, with some IPs listening on multiple ports all in that same 40** port range.”
This suggested a broad and organized infrastructure footprint. But was this a commercial proxy service or attacker-owned servers?
Further research pointed to the Trojan proxy protocol, which is often used to bypass the Great Firewall of China by imitating HTTPS traffic. As Spur noted: “Trojan is a proxy protocol designed to bypass the Great Firewall of China (AKA: GFW) by imitating HTTPS.”
A closer look revealed domains such as ganode[.]org, which led Spur to an even more significant discovery: connections to WgetCloud, a Chinese proxy service.
Spur’s investigation into WgetCloud found that it was marketed as “a service provider specializing in stable VPNs.” The service offered multiple tiers priced between $8 and $12 USD per month, with payment options including WeChat, AliPay, and TRC20 cryptocurrency.
The premium tier provided 29 exit nodes across countries including China, Singapore, the United States, Germany, Australia, and Russia. Customers received subscription URLs leading to base64-encoded proxy node configurations, which could be loaded into Trojan-capable applications such as Txray.
Spur ultimately verified that the Singapore-based IP address mentioned in the leak aligned with WgetCloud’s infrastructure. The report states: “We can conclude the Singapore IP address reportedly used by this threat actor belongs to this service, WgetCloud. Whether or not they purchased a subscription or acquired this particular Trojan proxy through other means is unknown.”
The Spur report underscores how APT infrastructure can masquerade as commercial proxy services, complicating attribution and detection. Even if the alleged connection to Kimsuky is uncertain, the case illustrates the importance of infrastructure intelligence in modern threat hunting.
As anonymizing services like WgetCloud become enablers for both privacy-conscious users and malicious actors, defenders face the difficult task of distinguishing legitimate proxy use from nation-state espionage campaigns.
Related Posts:
- TorNet: A New Backdoor That Uses TOR to Anonymize C2 Communication
- CrowdStrike Data Leak Claims Spark Concern, Hacktivist Credibility Questioned
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
