Description
This detector identifies network traffic that is intentionally routed through intermediary infrastructure to obscure the true source of the connection. Instead of originating directly from a residential or corporate internet service provider, traffic appears to come from proxy services, anonymization networks, or hosted infrastructure.
Masked network connections differ from typical consumer VPN usage in that they are often designed specifically to hide origin, rotate IP addresses, or blend malicious traffic into otherwise trusted network categories.
Common masking mechanisms include:
Residential proxy infrastructure
Traffic routed through the residential internet connections of legitimate users, often without their knowledge. This causes the connection to appear as a trusted home user rather than as traffic from a data center or hosting provider.
Anonymity networks
Use of multi-hop routing systems such as Tor, where traffic is relayed through multiple volunteer-operated nodes to make source attribution extremely difficult.
Data center and hosting provider IPs
Connections originating from cloud platforms such as AWS, DigitalOcean, or Azure, rather than from consumer ISPs, often indicating scripted, automated, or remotely hosted activity.
Relevance to Social Engineering Attacks
Masked network connections act as a concealment layer that enables social engineering attacks to appear local, credible, and difficult to trace.
Common attacker use cases include:
Bypassing geographic controls
Attackers operating from one region route traffic through residential proxies in the victim’s city or country to avoid triggering foreign login warnings or location-based risk checks.
Impersonation through borrowed reputation
Many security systems implicitly trust residential IP addresses more than hosting providers. By using residential proxies, attackers inherit the reputation of legitimate home users, reducing suspicion during impersonation attempts.
Sustaining automated or repeated attempts
During credential guessing or MFA abuse, proxy pools allow attackers to rapidly rotate IP addresses. If one address is blocked, a new, clean IP can be used almost immediately to continue the attack.
Examples of Detected Tooling and Techniques
This detector is effective against a wide range of network masking technologies, including:
Anonymity networks
Tor Browser, I2P (Invisible Internet Project).
Proxy management tools
ProxyChains, FoxyProxy, Burp Suite when configured with upstream proxy infrastructure.
Residential proxy services
Providers such as Bright Data (formerly Hola), Oxylabs, and specialized underground proxy services.
Command-line networking tools
Utilities such as curl or wget routed through SOCKS5 or HTTP proxy servers.
Notable Incidents and Threat Actors
Sandworm (Russian GRU)
Known for extensive use of Tor and chained proxy infrastructure to mask command-and-control activity during high-impact social engineering and disruptive operations.
Copode 1.0
A Latin American threat group observed combining commercial VPN services with compromised residential proxy infrastructure to conceal origin during financial fraud campaigns.
LockBit 3.0
While primarily associated with ransomware, this group has used proxy tools such as ProxyChains and SOCKS5 tunneling to hide initial access activity following successful phishing-based social engineering.