Spur investigated anonymizing infrastructure after a leaked dataset tied IP address 156.59.13[.]153 to activity targeting organizations in South Korea and Taiwan, while the leak author attributed the activity to Kimsuky and Spur explicitly left that attribution unvalidated. The investigation pivoted from a *.appletls[.]com certificate on non-standard port 4012 to more than 1,000 related IPs, mostly in China, and then to Trojan proxy configuration strings found through GitHub research. Those strings referenced ganode[.]org and appletls[.]com, leading Spur to identify WgetCloud, formerly GaCloud, as a commercial VPN/proxy service using the observed certificate pattern. Spur verified the link by purchasing access, retrieving node configurations, and confirming that the reportedly used Singapore IP belonged to WgetCloud infrastructure, illustrating how suspected APT traffic can blend into commercial proxy services.