Silent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN

platform, threat
February 9, 2026

Silent Push’s Traffic Origin exposes insights that help identify a threat actor’s true country of origin—visibility that’s otherwise inaccessible to defenders. We use a proprietary global observation network to analyze traffic signals, enabling the platform to identify the countries associated with an IP address. This reveals the traffic’s true physical origin, not just where the proxy server sits.

Offering critical enrichment capabilities that businesses can use to immediately unmask global threat actors, Traffic Origin shines a light on malicious behaviors, including North Korean IT workers attempting to obtain fraudulent employment while using residential proxies to conceal their actual physical location. Customers can also use Traffic Origin to automatically assess employee logins and identify when an IP address is masking traffic from an unexpected location or country of concern.

Traffic Origin complements our proprietary residential proxy data, which identifies tens of millions of residential proxy IPs and their service providers. Together, these two solutions can help customers differentiate between innocuous residential IPs and those rented for criminal use globally.

The Silent Push Preemptive Cyber Defense Team regularly analyzes Traffic Origin datasets to uncover new insights and research opportunities for customers. To better help readers understand what these opportunities can look like, we’re sharing an example below of an investigation into a series of IPs and domains connected to a low-quality Chinese virtual private network (VPN) provider.

Mystery Chinese VPN Used by Devices in Russia, China, Myanmar, Iran, and Venezuela

Within our Traffic Origin data, the IP address 205.198.91[.]155 stands out for its unique breakdown of origin traffic—which includes devices in Russia, China, Myanmar, Iran, and Venezuela. It’s highly unusual for an IP address to be observed exclusively in these locations.

Traffic Origin Total View for IP 205.198.91[.]155
Traffic Origin Total View for IP 205.198.91[.]155

Looking further into that same IP address, our PADNS data shows that the only domain mapped to it since November 2025 is lvcha[.]in, suggesting that the traffic may be associated with this domain.

DNS A Records Mapped to the domain lvcha[.]in for IP address 205.198.91[.]155
DNS A Records Mapped to the domain lvcha[.]in for IP address 205.198.91[.]155

Looking more closely at lvcha[.]in in our Total View, the domain was registered with NameSilo in March 2024 and appears to host a Chinese-language VPN.

Total View for lvcha[.]in showing registrar and metadata highlights
Total View for lvcha[.]in showing registrar and metadata highlights

Accessing the LVCHA VPN website reveals that the default language is Mandarin, and the site only offers an Android APK (Android Package Kit) for direct sideloaded download—sidestepping the Google Play Store entirely.

Here’s what the site looks like in English translation (shown below). Notice the prominent and seemingly inaccurate disclaimer: “This app has passed Google security certification, please install and use with confidence.”

Translated website for the LVCHA VPN at lvcha[.]in
Translated website for the LVCHA VPN at lvcha[.]in

Because this VPN app and domain align with the unexpected Traffic Origin data, we can further investigate the domain using dozens of searchable metadata fields captured by our Web Search data.

Total View Web Search results for lvcha[.]in
Total View Web Search results for lvcha[.]in

We quickly identified several fields that pivot into a larger group of suspicious domains, all of which promote the same VPN.

Some of the fields providing these pivots include:

  • body_analysis.js_ssdeep – Fuzzy hash (ssdeep) of JavaScript content to detect similar scripts.
    • datasource = [“webscan”] AND body_analysis.js_ssdeep = “24:toiwDsbneK8Ki3vr5y7zrlqCWJTI/Rk m5vY50lCvbHOPQ/:5wDrK8Ksr5y7zrlqCWJTL EWvbuPQ/”
  • body_analysis.telegram – Telegram account URL captured from the page
    • datasource = [“webscan”] AND body_analysis.telegram = “https://t.me/lvchavpn”
  • favicon_md5 – MD5 hash of the favicon binary
    • datasource = [“webscan”] AND favicon_md5 = “994dfe8573747f2b90e4d32b5ae07fc6”
Expanded Web Search results for lvcha[.]in
Expanded Web Search results for lvcha[.]in

Conducting any of those queries above using Silent Push’s Web Search (Community Edition) returns nearly 50 domains featuring the same cloned VPN content:

  1. lcabc[.]icu
  2. lcapi[.]shop
  3. lcapp[.]bar
  4. lcapp[.]bond
  5. lcapp[.]cfd
  6. lcapp[.]cyou
  7. lcapp[.]icu
  8. lcapp[.]my
  9. lcapp[.]qpon
  10. lcapp[.]sbs
  11. lcapp[.]shop
  12. lcapp[.]xyz
  13. lcpro[.]bar
  14. lcpro[.]bond
  15. lcpro[.]cc
  16. lcpro[.]cfd
  17. lcpro[.]cyou
  18. lcpro[.]icu
  19. lcpro[.]qpon
  20. lcpro[.]sbs
  21. lcpro[.]shop
  22. lcpro[.]top
  23. lcpro[.]vip
  24. lcvpn[.]bond
  25. lcvpn[.]cc
  26. lcvpn[.]cfd
  27. lcvpn[.]cyou
  28. lcvpn[.]qpon
  29. lcvpn[.]sbs
  30. lcvpn[.]shop
  31. lcvpn[.]top
  32. lcvpn[.]xyz
  33. loopvpn[.]org
  34. lvcha[.]in
  35. lvcha[.]org
  36. lvcha[.]qpon
  37. lvcha[.]sbs
  38. lvcha[.]store
  39. lvchaapp[.]bond
  40. lvchaapp[.]cc
  41. lvchaapp[.]cyou
  42. lvchaapp[.]icu
  43. lvchaapp[.]pw
  44. lvchaapp[.]site
  45. lvchaapp[.]store
  46. lvchaapp[.]vip
  47. lvchavpn[.]bond
  48. lvchavpn[.]cfd
  49. lvchavpn[.]one

Whenever we see campaigns promoting suspicious downloads or products using so many domains, it can indicate that the operator is rotating domains to work around country-level firewalls in regions where they’re trying to promote distribution. This process is commonly observed in campaigns attempting to bypass the Great Firewall of China, an authoritarian technical domain and IP-blocking system which has been replicated in Russia, Iran, Myanmar, and Venezuela—all countries seen in the Traffic Origin connections to this particular VPN provider.

While investigating Web Search results that reused the LVCHA VPN HTML title, favicon, or Telegram URL from the original website, the content was also found to be hosted on 205.198.91[.]136, an IP address from the earlier-mentioned ASN.

A closer analysis of this IP address in our Residential Proxy database shows it is used by the residential proxy provider “Asocks proxies” (asocks[.]com). The Traffic Origin data aligns with what we saw with the previous IP address, except with a minor difference: there are also hits in Ukraine.

Traffic Origin Total View for 205.198.91[.]136
Traffic Origin Total View for 205.198.91[.]136

The Traffic Origin data for IP address 205.198.91[.]136 confirms it’s being used in Russian-occupied Eastern Ukraine, as shown below.

Traffic Origin Total View for 205.198.91[.]136, zoomed into Ukraine
Traffic Origin Total View for 205.198.91[.]136, zoomed into Ukraine

One last IP address connected to this VPN that’s worth highlighting is 194.147.16[.]244, which is from AS48266, a U.K. network owned by catixs[.]com. As of this writing (January 2026), this IP address is hosting the same content as the LVCHA VPN, seen here in our Total View overview.

Traffic Origin Total View highlight for 194.147.16[.]244
Traffic Origin Total View highlight for 194.147.16[.]244

This IP address has appeared in the Traffic Origin data from many of the same countries previously seen (Russia, China, Iran, and Myanmar). The traffic also includes a single hit in Japan, several in Bangladesh, a large cluster along the Kazakhstan–Kyrgyzstan border, additional hits in Georgia, and a new cluster near the Ukrainian border in Western Russia.

Traffic Origin Total View for 194.147.16[.]244
Traffic Origin Total View for 194.147.16[.]244

Zooming into this map highlights heavy usage of this IP address in Moscow, Russia.

Traffic Origin Total View for 194.147.16[.]244, zoomed into Russia
Traffic Origin Total View for 194.147.16[.]244, zoomed into Russia

Stop Suspicious Connections Before They Impact Your Organization

Trust is a liability in an era where it only costs a few dollars to rent domestic identities and clean residential IPs. Accurate compliance requires more than simply checking a passport; it requires verifying how connections behave on both physical and technical levels. Without the ability to identify upstream points of origin, your defensive readiness remains reactive and incomplete. You risk losing the critical window to block professional fraudsters and “invisible insiders” before they slip past your existing defenses.

Traffic Origin can protect your organization by providing the visibility needed to ensure your KYC (Know Your Customer), AML (Anti-Money Laundering), and fraud workflows are grounded in technical truth rather than digital deception.

When state-sponsored actors use stolen identities and spoofed locations, background checks are not enough to protect your organization. It’s essential to verify that remote employees are physically located where they claim to be.

Silent Push Traffic Origin unmasks deceptive network paths that operatives use to hide their true location. We help you spot the residential proxies and suspicious connection patterns that state-sponsored groups use to bypass traditional geofencing and let you flag high-risk infrastructure and individuals before an attack occurs.

Interested in Learning More About Traffic Origin?

Connect with our team of preemptive cyber defense experts to get an overview of Traffic Origin and the Silent Push Enterprise Edition platform.

Book a Demo

We can provide you with a tailored walkthrough for your specific use case, as well as insights into integrations and API capabilities, as we show you how to neutralize before compromise.

Back to Blog
Related Post
Read More
Blog

Pushing Forward with Silent Push

February 6, 2026
News Source
Blog

Traffic Origin: Preemptive Visibility for SOC and Compliance Teams to Address Identity Obfuscation

February 5, 2026
News Source
Blog

Silent Push Identifies More Than 10,000 Infected IPs as Part of SystemBC Botnet Malware Family

February 4, 2026
News Source

Silent Push Inc. ©2025