Chinese State Hackers Weaponize Microsoft’s VS Code to Create Stealthy Backdoors

Chinese State Hackers Weaponize Microsoft's VS Code to Create Stealthy Backdoors

Chinese Hackers Exploit Visual Studio Code Tunnels in Sophisticated Cyber Campaign

A new cyber espionage campaign dubbed ‘Operation Digital Eye’ has been discovered targeting IT service providers in Southern Europe. Security researchers from SentinelLabs and Tinexta Cyber revealed that Chinese threat actors are leveraging Microsoft’s Visual Studio Code (VSCode) tunnels as a sophisticated backdoor mechanism.

Key Findings:
– Campaign occurred between June-July 2024
– Initial access achieved through SQL injection attacks
– Attackers deployed PHPsert webshell for remote command execution
– Used legitimate VSCode installations for persistent access
– Traffic routed through Microsoft Azure infrastructure

Attack Methodology:
1. Initial breach via sqlmap tool against web servers
2. Lateral movement using RDP and modified Mimikatz
3. Deployment of portable VSCode installation
4. Configuration of persistent tunnels using winsw
5. Remote access established through Microsoft/GitHub authentication

The attackers maintained access during Chinese working hours, suggesting their geographic origin. While the exact threat group remains unidentified, evidence points to possible involvement of STORM-0866 or Sandman APT.

Security Recommendations:
– Monitor suspicious VSCode launches
– Restrict remote tunnel usage
– Implement allowlisting for portable executables
– Monitor connections to *.devtunnels.ms
– Inspect Windows services for unauthorized code.exe instances

This technique, while not unprecedented, represents an emerging threat vector utilizing legitimate development tools for malicious purposes. Similar tactics were observed in Southeast Asian government targeting by Stately Taurus APT in September 2024.

Share This Article