Operation Digital Eye: Chinese hackers exploit Visual Studio Code

Dec 10, 2024

A sophisticated cyberespionage operation dubbed “Operation Digital Eye” has been attributed to a suspected Chinese Advanced Persistent Threat (APT) group. 

According to Aleksandar Milenkoski, Senior Threat Researcher at SentinelLabs, and Luigi Martire, Senior Malware Analyst at Tinexta Cyber, the campaign targeted large business-to-business (B2B) IT service providers in southern Europe between late June and mid-July 2024.

Visual Studio Code hijacked

In what SentinelLabs describes as the “first instance of a suspected Chinese APT group using this technique,” Visual Studio Code’s Remote Tunnels feature was hijacked to maintain command-and-control (C2) connections.

By leveraging software associated with legitimate development workflows, the attackers were able to conceal their malicious activities. 

Remote Tunnels provides full endpoint access capabilities—including command execution and filesystem interactions. Crucially, the executables involved were digitally signed by Microsoft, while the tunnelling infrastructure used Microsoft’s Azure servers. 

With such tools being integral to legitimate operations, they are unlikely to face stringent scrutiny from application controls and firewalls. This made their misuse “challenging to detect” and granted highly effective covert access to compromised systems.

Objectives and targets

The attack primarily focused on entities that manage data, infrastructure, and cybersecurity for major industries—making them prime candidates for espionage and enabling downstream access to client organisations.

SentinelLabs and Tinexta Cyber stated in a report that “a sustained presence within these organisations would provide the Operation Digital Eye actors with a strategic foothold, creating opportunities for intrusions across the digital supply chain.”

The timing and sophistication of the campaign strongly point toward a state-sponsored attacker with connections to China’s interests, aiming to access sensitive information and compromise critical IT environments.

Such strategic intelligence can provide “competitive advantages” in economic, geopolitical, and technological domains, reflecting rising tensions in Sino-European relations.

Infection vector and progression

The attackers used SQL injection to compromise internet-facing web and database servers, relying on the automated tool SQLmap to exploit vulnerabilities.

Once infiltrated, they deployed a PHP-based webshell called PHPsert, which used simplistic yet effective obfuscation techniques to execute PHP code supplied by the attackers. To blend into the targeted environments, they disguised PHPsert files with locally relevant language and technological context.

From the moment of entry, the attackers focused heavily on reconnaissance, employing both third-party tools – such as GetUserInfo – and native Windows utilities like ping. To maintain lateral movement across networks, the group relied on Remote Desktop Protocol (RDP) sessions and a pass-the-hash technique facilitated by a custom-modified Mimikatz variant called bK2o.exe.

Additional access was maintained via SSH-enabled backdoors and Visual Studio Code Remote Tunnels, with the latter being run as background services disguised as legitimate processes.

Visual Studio Code tunnelling exploit

An extracted winsw configuration file, used to run Visual Studio Code as a Windows service, indicated that a pragmatic approach had been taken by the attackers. The file referenced publicly accessible base samples, with only minor customisations tailored to their illicit purposes.

Once running, Visual Studio Code’s “tunnel” parameter established development tunnels to compromised machines, accessible remotely through either the Visual Studio Code application or its browser version, vscode.dev.

SentinelLabs noted that no direct evidence indicates whether the attackers used self-registered or compromised GitHub accounts to authenticate to these tunnels.

Beyond the development-focused misuse of Visual Studio Code, the attackers exploited infrastructure owned by European service provider M247 alongside Azure servers. This infrastructure – sourced from Microsoft’s Italy North and West Europe datacentres – helped mask activity as local, reducing suspicion while traversing legitimate network pathways.

Connections to Chinese APT operators

The precise attribution of Operation Digital Eye remains ongoing due to extensive code-sharing within the Chinese APT ecosystem. However, SentinelLabs cited a wealth of indications suggesting a Chinese origin. Among these are the following:

  • The PHPsert webshell variants, one of which contains comments and code snippets written in simplified Chinese, signalling likely involvement of Chinese-speaking developers.  
  • The “bK2o.exe” tool for pass-the-hash operations aligns with broader patterns of use in known China-linked campaigns such as Operation Soft Cell and Operation Tainted Love.  
  • The inclusion of bK2o.exe within a larger toolkit dubbed mimCN, which SentinelLabs has observed exclusively in operations tied to Chinese APT clusters over several years.  

MimCN – comprised of custom Mimikatz-based credential-stealing tools – has reportedly evolved through a shared development effort, likely led by a “digital quartermaster.” Such an entity is suspected of provisioning common tools to numerous Chinese-linked threat groups.

Beyond Operation Digital Eye

Connections between Operation Digital Eye and previously identified Chinese APT campaigns highlight longer-term efforts to evolve tooling and tactics. Notably, Granite Typhoon (formerly Gallium) and APT41 have executed similar operations, employing shared infrastructure management techniques and overlapping malware payloads.

SentinelLabs noted significant overlap between Operation Digital Eye and earlier efforts such as 2023’s Operation Tainted Love – a campaign targeting telecom providers in the Middle East – and Operation Soft Cell, which occurred between 2017 and 2018 and focused on telecoms worldwide.

“These tools have been observed exclusively in the context of suspected Chinese APT activities,” SentinelLabs confirmed.

Researchers also suggested that mimCN’s compilation timestamps align closely with campaign timelines, adding further weight to claims of state-sponsored involvement.

Temporal analysis revealed that all activity during Operation Digital Eye occurred on weekdays between 9am and 9pm China Standard Time (CST), a schedule corresponding with typical working hours in China.

While the now-illegal “996” system (9am–9pm, six days a week) was once common in China’s technology industry, government-backed operations are presumed to adhere more closely to regulated working practices.

Tinexta Cyber and SentinelLabs claim to have detected and interrupted Operation Digital Eye in its initial stages, likely preventing attackers from reaching their ultimate goal of exfiltrating sensitive data. The researchers have also notified Microsoft so as to address the abuse of Visual Studio Code tunnelling and Azure resources in connection with the campaign.

Prevention and mitigation

Cybersecurity experts have flagged the abuse of Visual Studio Code tunnelling as a relatively rare but powerful intrusion method.

While organisations using Visual Studio Code or Azure need to stay especially vigilant, SentinelLabs highlighted a broader concern: the development of modular and adaptable intrusion playbooks now being shared across the ranks of state-sponsored threat actors.

Exploitation of technologies like Visual Studio Code, if not proactively monitored, underscores the need for improved endpoint and network visibility for key organisations, particularly those in critical supply chains or cyber defence sectors.

As these increasingly complex methods come to light, cross-industry collaboration will be essential to mitigate cyberespionage risks. Threat actors continue to innovate—and this campaign demonstrates a highly advanced capability that could yet surface in future operations.

See also: Developer fought back after losing 30,000 users to malware accusations

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: advanced persistent threat, apt, china, coding, cyber security, cybersecurity, development, exploit, hacking, hijack, ide, infosec, operation digital eye, programming, remote tunnels, security, visual studio code, vs code