Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used “hop points” to conceal their identity and evade detection. Hop points of course are just a fancy word for a kind of proxy (as Citizen Lab likes to refer to them) that forwards data to and instructions from the real controller. Some security companies have made tracking these hop points into a major business, and many sell access to their lists as expensive threat intelligence feeds. Since setting up a new hop takes a little time and effort, attackers sometimes re-use them. But for any significant operation, attackers are going to come from at least one new server, and probably many more.
more here.............http://www.scriptjunkie.us/2014/07/more-spiders-fewer-trees-meterpreter-hop/
more here.............http://www.scriptjunkie.us/2014/07/more-spiders-fewer-trees-meterpreter-hop/