{
	"id": "573fda7a-b79e-4924-a365-0e66ce594c04",
	"created_at": "2026-04-06T03:36:15.220068Z",
	"updated_at": "2026-04-10T13:13:00.623012Z",
	"deleted_at": null,
	"sha1_hash": "51a5d46392b56736f9782e35925f08977c0d8e52",
	"title": "Advisory: Misuse of Visual Studio Code for traffic tunnelling",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 90017,
	"plain_text": "Advisory: Misuse of Visual Studio Code for traffic tunnelling\r\nArchived: 2026-04-06 02:58:35 UTC\r\nBlog\r\nPublished date:23.05.2024\r\nAdversary misuse of remote development extensions in Visual Studio (VS) Code observed in the wild.\r\nhttps://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/\r\nPage 1 of 4\n\nWritten by:\r\nBy Threat Intelligence Team\r\nmnemonic\r\nBackground\r\nIn May 2024, mnemonic responded to an incident involving adversary use of VS Code's remote development\r\nextensions.\r\nThe misuse of this technique has recently been observed in a cyber espionage context, but has not been previously\r\nlinked to what we assess is cybercrime activity.\r\nhttps://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/\r\nPage 2 of 4\n\nThe technique has been theorised previously, but reports of it being utilised in the wild are limited to these two\r\ninstances.\r\nThreat Intelligence assessment\r\nWe recently observed this technique used in the wild by a threat actor likely attempting to gain foothold on a\r\ndomain controller. We have not been able to ascertain the threat actor's goal in this specific incident, but we assess\r\nthat this was possibly performed by an initial access broker (IAB).\r\nThis assessment is based on the tactics, techniques, and procedures (TTPs) used by the threat actor.\r\nActivity MITRE ATT\u0026CK mapping\r\n1. Attempted to brute-force VPN credentials T1110.004 - Credential Stuffing\r\n2. Authenticated via VPN using compromised single-factor credentials\r\nT1078 - Valid Accounts\r\n3. Established RDP connection directly to the domain\r\ncontroller\r\nT1021.001 - Remote Services: Remote Desktop\r\nProtocol\r\n4. Created a new service initiating code.exe in tunnel\r\nmode\r\nT1543.003 - Create or Modify System Process:\r\nWindows Service\r\n5. Utilised 7-Zip to prepare ntds.dit for exfiltration\r\nT1560.001 - Archive Collected Data: Archive via\r\nUtility\r\n6. Exfiltrated ntds.dit archive using code.exe tunnel T1048 - Exfiltration Over Alternative Protocol\r\n7. Terminated the code.exe process T1489 - Service Stop\r\nActivity MITRE ATT\u0026CK mapping\r\n1. Attempted to brute-force VPN credentials T1110.004 - Credential Stuffing\r\n2. Authenticated via VPN using compromised single-factor credentials\r\nT1078 - Valid Accounts\r\n3. Established RDP connection directly to the domain\r\ncontroller\r\nT1021.001 - Remote Services: Remote Desktop\r\nProtocol\r\n4. Created a new service initiating code.exe in tunnel\r\nmode\r\nT1543.003 - Create or Modify System Process:\r\nWindows Service\r\n5. Utilised 7-Zip to prepare ntds.dit for exfiltration\r\nT1560.001 - Archive Collected Data: Archive via\r\nUtility\r\n6. Exfiltrated ntds.dit archive using code.exe tunnel T1048 - Exfiltration Over Alternative Protocol\r\nhttps://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/\r\nPage 3 of 4\n\n7. Terminated the code.exe process T1489 - Service Stop\r\nThe threat actor used approximately three hours to execute their attack chain.\r\nRecommendations\r\nWe strongly advise to configure and deploy the set of Group Policy Objects (GPOs) described by Microsoft. The\r\nfollowing policies are supported:\r\nDisable anonymous tunnel access\r\nDisable tunnel access in general\r\nOnly allow tunnel access from specific Microsoft Entra tenant IDs\r\nOn a network level, access can be blocked by dropping or blocking outbound access to\r\nglobal.rel.tunnels.api.visualstudio.com.\r\nmnemonic also recommends searching for any suspicious services initiating code.exe on servers where it should\r\nnot be running, such as on domain controllers.\r\nIn addition, mnemonic recommends monitoring for network traffic directed towards\r\nglobal.rel.tunnels.api.visualstudio.com from servers or network zones that should not be communicating with this\r\nservice.\r\nDetection coverage for Argus MDR customers\r\nWe have deployed detection to all Argus MDR customers based on the abovementioned incident and are\r\ncontinuously monitoring the situation to develop additional detection logic.\r\nSource: https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/\r\nhttps://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.mnemonic.io/resources/blog/misuse-of-visual-studio-code-for-traffic-tunnelling/"
	],
	"report_names": [
		"misuse-of-visual-studio-code-for-traffic-tunnelling"
	],
	"threat_actors": [],
	"ts_created_at": 1775446575,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51a5d46392b56736f9782e35925f08977c0d8e52.pdf",
		"text": "https://archive.orkl.eu/51a5d46392b56736f9782e35925f08977c0d8e52.txt",
		"img": "https://archive.orkl.eu/51a5d46392b56736f9782e35925f08977c0d8e52.jpg"
	}
}