Chinese hackers abuse VSCode tunnels for stealthy remote access

Chinese hackers abuse VSCode tunnels for stealthy remote access

Chinese hackers have been observed leveraging Visual Studio Code (VSCode) tunnels to maintain persistent remote access to compromised systems, according to a joint report by SentinelLabs and Tinexta Cyber. The campaign, dubbed 'Operation Digital Eye', targeted large IT service providers in Southern Europe between June and July 2024.

VSCode tunnels, part of Microsoft’s Remote Development feature, are designed to provide developers with secure remote access to systems, enabling tasks such as file system management and command execution. However, this functionality was weaponized by attackers to create persistent backdoors into targeted environments.

The tactic allowed hackers to disguise their malicious activity as legitimate Microsoft services. In the observed attack, the intruders gained initial access through a widespread vulnerability exploitation campaign. They employed 'sqlmap', an automated SQL injection tool, to breach internet-facing web and database servers. After infiltrating the systems, they deployed the PHP-based web shell called PHPsert to execute remote commands and drop additional payloads.

To maintain persistence, the hackers installed a version of VSCode on the compromised systems and used 'winsw', a tool that sets executables as Windows services. Then they configured VSCode with tunnel parameters, which allowed them to create a remote-access tunnel routed through Microsoft Azure infrastructure.

For lateral movement, the attackers relied on Remote Desktop Protocol (RDP) and a custom version of the credential-stealing tool Mimikatz, named 'bK2o.exe', to perform pass-the-hash attacks. The VSCode tunnels were then used to connect to the breached systems remotely via a browser interface, authenticated with GitHub or Microsoft credentials.

The use of Microsoft-signed executables and Azure infrastructure allowed the hackers to operate without triggering security alerts.

While weak evidence points to Chinese APT groups like STORM-0866 or Sandman APT, the exact actor behind Operation Digital Eye remains unclear due to the extensive sharing of malware, operational playbooks, and infrastructure management processes within the Chinese threat landscape, SentinelLabs noted.

Back to the list

Latest Posts

Silver Fox phishing campaign targets Taiwan’s government entities

Silver Fox phishing campaign targets Taiwan’s government entities

The campaign delivers advanced malware strains including HoldingHands RAT and Gh0stCringe.
17 June 2025
Water Curse hackers exploit GitHub as a delivery channel for weaponized repositories

Water Curse hackers exploit GitHub as a delivery channel for weaponized repositories

At least 76 GitHub accounts are linked to the campaign.
17 June 2025
Zyxel and TP-Link bugs increasingly exploited by malicious actors

Zyxel and TP-Link bugs increasingly exploited by malicious actors

The Zyxel flaw (CVE-2023-28771) is being targeted by the Mirai botnet malware.
17 June 2025