Neunative

The usr and userid UUIDs are generated once with UuidCreate and persisted in the registry at HKCU\Software\Neunative under _uuid ; the inst UUID identifies the install.

The Accept header is pixel-perfect Chrome... The User-Agent is SDK... Someone spent real effort getting the Accept header exactly right, then set the User-Agent to a three-character string that gives the disguise away.

The usr and userid UUIDs are generated once with UuidCreate and persisted in the registry at HKCU\Software\Neunative under _uuid ; the inst UUID identifies the install.

For each peer server, the SDK opens a TLS connection on port 6000 and speaks a proprietary binary protocol... The message types, recovered from the factory and RTTI symbols: Register, RegisterResponse, Ping, OpenTunnel, TunnelMessage, CloseTunnel, Goodbye. | The SDK contacts lb.gmslb[.]net:443 (TLS) with an HTTP GET that reads like a browser doing its best impression of itself: GET /regdev?usr=<uuid>&userid=<uuid>&dev_ip=<ip>&sdkv=8.0.36&inst=<uuid> HTTP/1.1

Bundled in the same installer, registered as a NuGet dependency, and activated whenever the VPN is not connected, is Neunative: a residential-proxy SDK that turns the user's machine into an exit node for third-party traffic.

The hostnames in peer_servers are rotating front domains. For a single fleet the director returns both sN.viki-play[.]com:6000 and sN.star-layer[.]com:6000 ; the server numbers overlap... The sN identifier and IP are the stable node identity. The domain is disposable.