There is a publicly available tool called HTran which is widely used by criminal groups in cyberattacks to exfiltrate data. It simply relays traffic from one host to another, much like a proxy. It is typically used to relay information from an internal network that does not allow internet access, but allows access to the intermediate device.
If someone could do network analysis on both ends of the connection, what kinds of clues would be left in the traffic that would allow someone to detect the anomalous traffic?