{ "id": "562431de-96cd-47c0-8cac-60c876ac34d5", "created_at": "2026-04-06T00:09:46.187391Z", "updated_at": "2026-04-10T03:30:13.471354Z", "deleted_at": null, "sha1_hash": "385f5c81620bf4a5efe131296cce821c18d9dfd4", "title": "Operation Digital Eye - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48710, "plain_text": "Operation Digital Eye - Threat Group Cards: A Threat Actor\nEncyclopedia\nArchived: 2026-04-05 12:44:23 UTC\nHome \u003e List all groups \u003e Operation Digital Eye\n APT group: Operation Digital Eye\nNames Operation Digital Eye (SentinelLabs)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2024\nDescription\n(SentinelLabs) From late June to mid-July 2024, a suspected China-nexus threat actor targeted\nlarge business-to-business IT service providers in Southern Europe, an activity cluster that we\ndubbed ‘Operation Digital Eye’.\nThe intrusions could have enabled the adversaries to establish strategic footholds and\ncompromise downstream entities. SentinelLabs and Tinexta Cyber detected and interrupted the\nactivities in their initial phases.\nThe threat actors used a lateral movement capability indicative of the presence of a shared\nvendor or digital quartermaster maintaining and provisioning tooling within the Chinese APT\necosystem.\nThe threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2\npurposes, attempting to evade detection by making malicious activities appear legitimate.\nOur visibility suggests that the abuse of Visual Studio Code for C2 purposes had been\nrelatively rare in the wild prior to this campaign. Operation Digital Eye marks the first instance\nof a suspected Chinese APT group using this technique that we have directly observed.\nObserved\nSectors: Business-to-business IT service providers.\nCountries: Southern Europe.\nTools used mim221, Mimikatz, PHPsert, Living off the Land.\nInformation\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af3c097c-a499-4281-bc62-ee747d9d2772\nPage 1 of 2\n\nLast change to this card: 27 December 2024\r\nDownload this actor card in PDF or JSON format\r\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af3c097c-a499-4281-bc62-ee747d9d2772\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=af3c097c-a499-4281-bc62-ee747d9d2772\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=af3c097c-a499-4281-bc62-ee747d9d2772" ], "report_names": [ "showcard.cgi?u=af3c097c-a499-4281-bc62-ee747d9d2772" ], "threat_actors": [ { "id": "6d7e8ca8-d5a4-4514-baef-b208b607e48e", "created_at": "2024-12-28T02:01:54.84356Z", "updated_at": "2026-04-10T02:00:04.798594Z", "deleted_at": null, "main_name": "Operation Digital Eye", "aliases": [], "source_name": "ETDA:Operation Digital Eye", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PHPsert", "mim221" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434186, "ts_updated_at": 1775791813, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/385f5c81620bf4a5efe131296cce821c18d9dfd4.pdf", "text": "https://archive.orkl.eu/385f5c81620bf4a5efe131296cce821c18d9dfd4.txt", "img": "https://archive.orkl.eu/385f5c81620bf4a5efe131296cce821c18d9dfd4.jpg" } }