{ "id": "031063f8-9e8d-4fa9-b0a4-d90cd626bd9e", "created_at": "2026-04-06T00:21:51.151762Z", "updated_at": "2026-04-10T03:37:01.063612Z", "deleted_at": null, "sha1_hash": "5bed7c2b59998af1daf690c5e860d016c9b50e47", "title": "Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4295289, "plain_text": "Operation Digital Eye | Chinese APT Compromises Critical Digital\r\nInfrastructure via Visual Studio Code Tunnels\r\nBy Aleksandar Milenkoski \u0026 Luigi Martire (Tinexta Cyber)\r\nPublished: 2024-12-10 · Archived: 2026-04-05 12:40:38 UTC\r\nExecutive Summary\r\nFrom late June to mid-July 2024, a suspected China-nexus threat actor targeted large business-to-business\r\nIT service providers in Southern Europe, an activity cluster that we dubbed ‘Operation Digital Eye’.\r\nThe intrusions could have enabled the adversaries to establish strategic footholds and compromise\r\ndownstream entities. SentinelLABS and Tinexta Cyber detected and interrupted the activities in their initial\r\nphases.\r\nThe threat actors used a lateral movement capability indicative of the presence of a shared vendor or digital\r\nquartermaster maintaining and provisioning tooling within the Chinese APT ecosystem.\r\nThe threat actors abused Visual Studio Code and Microsoft Azure infrastructure for C2 purposes,\r\nattempting to evade detection by making malicious activities appear legitimate.\r\nOur visibility suggests that the abuse of Visual Studio Code for C2 purposes had been relatively rare in the\r\nwild prior to this campaign. Operation Digital Eye marks the first instance of a suspected Chinese APT\r\ngroup using this technique that we have directly observed.\r\nOverview\r\nTinexta Cyber and SentinelLABS have been tracking threat activities targeting business-to-business IT service\r\nproviders in Southern Europe. Based on the malware, infrastructure, techniques used, victimology, and the timing\r\nof the activities, we assess that it is highly likely these attacks were conducted by a China-nexus threat actor with\r\ncyberespionage motivations.\r\nThe relationships between European countries and China are complex, characterized by cooperation, competition,\r\nand underlying tensions in areas such as trade, investment, and technology. Suspected China-linked\r\ncyberespionage groups frequently target public and private organizations across Europe to gather strategic\r\nintelligence, gain competitive advantages, and advance geopolitical, economic, and technological interests.\r\nThe attack campaign, which we have dubbed Operation Digital Eye, took place from late June to mid-July 2024,\r\nlasting approximately three weeks. The targeted organizations provide solutions for managing data, infrastructure,\r\nand cybersecurity for clients across various industries, making them prime targets for cyberespionage actors.\r\nA sustained presence within these organizations would provide the Operation Digital Eye actors with a strategic\r\nfoothold, creating opportunities for intrusions across the digital supply chain and enabling them to exert control\r\nover critical IT processes within the downstream compromised entities. The attacks were detected and disrupted\r\nduring their initial phases.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 1 of 17\n\nThe exact group behind Operation Digital Eye remains unclear due to the extensive sharing of malware,\r\noperational playbooks, and infrastructure management processes within the Chinese threat landscape. The threat\r\nactors used a pass-the-hash capability, likely originating from the same source as closed-source custom Mimikatz\r\nmodifications observed exclusively in suspected Chinese cyberespionage activities, such as Operation Soft Cell\r\nand Operation Tainted Love. The malware and tooling used in these campaigns have been linked to several\r\ndistinct Chinese APT groups. We collectively refer to these custom Mimikatz modifications as mimCN.\r\nThe long-term evolution and versioning of mimCN samples, along with notable features such as instructions left\r\nfor a separate team of operators, suggest the involvement of a shared vendor or digital quartermaster responsible\r\nfor the active maintenance and provisioning of tooling. This function within the Chinese APT ecosystem,\r\ncorroborated by the I-Soon leak, likely plays a key role in facilitating China-nexus cyberespionage operations.\r\nThe abuse of Visual Studio Code Remote Tunnels for C2 purposes is central to this campaign. Originally designed\r\nto enable remote development, this technology provides full endpoint access, including command execution and\r\nfilesystem manipulation. Additionally, Visual Studio Code tunneling involves executables signed by Microsoft and\r\nMicrosoft Azure network infrastructure, both of which are often not closely monitored and are typically allowed\r\nby application controls and firewall rules. As a result, this technique may be challenging to detect and could evade\r\nsecurity defenses. Combined with the full endpoint access it provides, this makes Visual Studio Code tunneling an\r\nattractive and powerful capability for threat actors to exploit.\r\nTinexta Cyber and SentinelLABS have notified Microsoft about the abuse of Visual Studio Code and Azure\r\ninfrastructure in connection with Operation Digital Eye.\r\nInfection Vector and Attack Progression\r\nThe attackers used SQL (Structured Query Language) injection as an initial access vector to infiltrate Internet-facing web and database servers. User-Agent request headers in the web traffic logs we retrieved indicate that\r\nthe attackers used the sqlmap tool to automate the detection and exploitation of SQL injection vulnerabilities.\r\nTo establish an initial foothold and maintain persistent access, the threat actors deployed a PHP-based webshell.\r\nRelatively simple in design and implementation, the webshell uses the assert function to execute attacker-provided\r\nPHP code. Its implementation does not resemble any other webshells we are familiar with. We track this webshell\r\nunder the name PHPsert.\r\nTo disguise the files implementing PHPsert and attempt to evade detection based on filesystem activity, the\r\nattackers used custom names tailored to the infiltrated environments, making the filenames appear legitimate. This\r\nincluded using the local language and terms that aligned with the technological context of the targeted\r\norganizations.\r\nAfter establishing an initial foothold, the threat actors conducted reconnaissance using a variety of third-party\r\ntools and built-in Windows utilities, such as GetUserInfo and ping . They also deployed the local.exe tool,\r\nwhich is part of the Microsoft Windows NT Resource Kit and allows for viewing user group memberships.\r\nTo steal credentials, the attackers used the CreateDump tool to extract memory allocated to the Local Security\r\nAuthority Subsystem Service (LSASS) process and exfiltrate credentials. CreateDump is part of the Microsoft\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 2 of 17\n\n.NET Framework distribution. The threat actors also retrieved credentials from the Security Account Manager\r\n(SAM) database, which they extracted from the Windows Registry using the reg save command.\r\nThe threat actors frequently named the files they deployed using the pattern do.* . Examples include do.log\r\n(output from ping commands), do.exe (the CreateDump tool), and do.bat (a script that executes and deletes\r\nthe CreateDump executable).\r\nFrom the initially compromised endpoints, the attackers moved laterally across the internal network, primarily\r\nusing RDP (Remote Desktop Protocol) connections and pass-the-hash techniques. For the pass-the-hash attacks,\r\nthey used a custom modified version of Mimikatz, implemented in an executable named bK2o.exe .\r\nIn addition to the PHPsert webshell, the threat actors used two methods for remote command execution: SSH\r\naccess, enabled by deploying authorized_keys files containing public keys for authentication, and Visual Studio\r\nCode Remote Tunnels.\r\nVisual Studio Code Remote Tunnels, based on Microsoft’s dev tunnel technology, enable developers to access and\r\nwork on remote systems. This access includes the command terminal and file system, allowing activities such as\r\ncommand execution and file editing. The Operation Digital Eye actors abused this functionality to maintain\r\npersistent backdoor access to compromised systems.\r\nIn an attempt to evade detection based on filesystem activity, the threat actors used %SystemRoot%\\Temp and\r\n%ProgramData%\\Visual Studio Code as their primary working directories for storing tools and data.\r\n%SystemRoot%\\Temp is a directory where Windows stores temporary files and is often monitored with less\r\nscrutiny. %ProgramData%\\Visual Studio Code was intended to appear as a legitimate directory associated with\r\nVisual Studio Code.\r\nThe intrusions were detected and interrupted before the attackers could proceed to further phases, such as\r\nexfiltrating data.\r\nAbuse of Visual Studio Code\r\nThe threat actors deployed a portable Visual Studio Code executable named code.exe , which is digitally signed\r\nby Microsoft, and used the winsw tool to run it as a Windows service. The winsw configuration file we retrieved\r\nindicates that the attackers created a service named Visual Studio Code Service , which executes code.exe\r\nwith the tunnel command-line parameter at every system startup.\r\nThe configuration file reveals a pragmatic approach by the threat actors, who likely modified a publicly available\r\nwinsw configuration. This is suggested by the use of the myapp service identifier and the %BASE%\\logs\r\ndirectory for storing winsw log files, both of which appear in the public configuration file as well as in the one\r\nwe retrieved.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 3 of 17\n\nwinsw configuration file\r\nThe tunnel parameter instructs Visual Studio Code to create a dev tunnel and act as a server to which remote\r\nusers can connect. After authenticating to the tunnel with a Microsoft or GitHub account, remote users can access\r\nthe endpoint running the Visual Studio Code server, either through the Visual Studio Code desktop application or\r\nthe browser-based version, vscode.dev.\r\nAfter creating the dev tunnels, the threat actors authenticated using GitHub accounts and accessed the\r\ncompromised endpoints through the browser-based version of Visual Studio Code. We have no knowledge of\r\nwhether the threat actors used self-registered or compromised GitHub accounts to authenticate to the tunnels.\r\nNetwork Infrastructure\r\nThe Operation Digital Eye actors used infrastructure located exclusively within Europe, sourced from the provider\r\nM247 and the Cloud platform Microsoft Azure. This was likely part of a deliberate strategy. Since the targeted\r\norganizations are based and operate within Europe, the attackers may have aimed to minimize suspicion by\r\naligning their infrastructure’s location with that of their targets. Additionally, Cloud infrastructure commonly used\r\nin legitimate IT workflows, such as Microsoft Azure, is often not closely monitored and is frequently allowed\r\nthrough firewall restrictions. By leveraging public Cloud infrastructure for malicious purposes, the attackers made\r\nthe traffic appear legitimate, which can be challenging to detect and may evade security defenses.\r\nIn the initial phases of the attacks, the threat actors used the server with IP address 146.70.161[.]78 to establish\r\ninitial access by detecting and exploiting SQL injection vulnerabilities, and the server with IP address\r\n185.76.78[.]117 to operate the PHPsert webshell. Both IP addresses are allocated to the infrastructure provider\r\nM247 and are located in Poland and Italy, respectively.\r\nIn the later phases of the attacks, the threat actors used the server with IP address 4.232.170[.]137 for C2\r\npurposes when remotely accessing compromised endpoints via the SSH protocol. This server is part of Microsoft’s\r\nAzure infrastructure in the Italy North datacenter region (Azure IP range: 4.232.128[.]0/18 , service tag:\r\nAzureCloud.italynorth ). We currently have no information on whether the threat actors used self-registered or\r\ncompromised Azure credentials to access and manage the Azure resources and services.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 4 of 17\n\nThe abuse of Visual Studio Code tunneling for C2 purposes also relies on Microsoft Azure infrastructure. Creating\r\nand hosting a dev tunnel requires connecting to a Microsoft Azure server with a domain of *.\r\n[clusterID].devtunnels.ms , where [clusterID] corresponds to the Azure region of the endpoint running the\r\nVisual Studio Code server, such as euw for West Europe . In Operation Digital Eye, the creation of dev tunnels\r\ninvolved establishing connections to the server with the domain [REDACTED].euw.devtunnels[.]ms , which\r\nresolved to the IP address 20.103.221[.]187 . This server is part of Microsoft’s Azure infrastructure in the West\r\nEurope datacenter region (Azure IP range: 20.103.0[.]0/16 , service tag: AzureCloud.westeurope ).\r\nThe PHPsert Webshell\r\nPHPsert executes attacker-provided PHP code using the assert function, which, in PHP versions prior to 8.0.0,\r\ninterprets and runs parameter strings as PHP code. To hinder static analysis and evade detection, the webshell uses\r\nvarious code obfuscation techniques, including XOR encoding, hexadecimal character representation, string\r\nconcatenation, and randomized variable names.\r\nPHPsert implementation\r\nThe PHPsert webshell operates as follows:\r\nPHPsert instantiates a class with a single regular method, which XOR-decodes and concatenates\r\nhexadecimal characters to generate the string assert . The class’s destructor (the magic method\r\n__destruct ) uses this string to invoke the assert function, passing attacker-provided PHP code as a\r\nparameter.\r\nThe webshell retrieves the attacker-provided PHP code from an HTTP POST request parameter, for\r\nexample, momomomo . If the id parameter is present in the request URL, PHPsert decodes the Base64-\r\nencoded value of the POST parameter. If the id parameter is absent, the webshell uses the raw value of\r\nthe parameter.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 5 of 17\n\nFinally, when PHPsert finishes executing, the class’s destructor is invoked, which in turn calls the assert\r\nfunction to execute the attacker-provided PHP code.\r\nWe identified multiple PHPsert variants, which have been submitted to malware sharing platforms since May\r\n2023, from various locations including Japan, Singapore, Peru, Taiwan, Iran, Korea, and the Philippines. These\r\nvariants show only minor differences in their implementation, such as varying variable names and POST request\r\nparameters like mr6 , brute , and qq . Our analysis suggests that PHPsert is deployed not only as a standalone\r\nPHP file but is also integrated into various types of web content, including web text editors and content\r\nmanagement systems.\r\nOne of the PHPsert variants contains commented-out code snippets and comments in simplified Chinese that\r\ndescribe nearby code. These comments and snippets are not present in the PHPsert versions observed in Operation\r\nDigital Eye, nor in any of the webshell’s other variants. Below are the code comments, all of which are machine-translated from simplified Chinese:\r\n结果是\"assert\" , which translates to The result is \"assert\" .\r\n验证 $this-\u003erg 是否安全 , which translates to Verify that $this-\u003erg is safe .\r\n验证和清理用户输入 , which translates to Validating and sanitizing user input .\r\nPHPsert code snippets with comments in Chinese\r\nThe presence of these comments, along with the indicators of removed code across PHPsert variants, suggests the\r\npotential involvement of Chinese-speaking developers who may have been simplifying the webshell’s execution\r\nlogic.\r\nPass-the-Hash Capability\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 6 of 17\n\nThe bK2o.exe executable (a custom modified version of Mimikatz used in Operation Digital Eye for pass-the-hash attacks) enables the execution of processes within a user’s security context by leveraging a compromised\r\nNTLM password hash, bypassing the need for the user’s actual password. To achieve this, bK2o.exe overwrites\r\nmemory of the LSASS process. The tool supports the following command-line parameters:\r\n/c : The process to execute; defaults to cmd.exe if not provided.\r\n/u : The user’s username.\r\n/d : The user’s domain.\r\n/h : The NTLM password hash.\r\nbK2o.exe implements a pass-the-hash technique by overwriting LSASS memory in a manner similar to\r\nMimikatz, with its implementation partially overlapping with Mimikatz functions such as\r\nkuhl_m_sekurlsa_pth_luid and kuhl_m_sekurlsa_msv_enum_cred_callback_pth . In summary, bK2o.exe\r\nperforms the following:\r\nCreates a suspended process in a new logon session, specifying the attacker-provided process, username,\r\ndomain, and an empty password.\r\nBased on the session’s locally unique identifier (LUID), locates and extracts from the LSASS process\r\nmemory an encrypted credential data blob containing the user’s NTLM hash and the encryption keys\r\nrequired to decrypt the blob.\r\nDecrypts the data blob, overwrites the user’s NTLM hash with the attacker-provided hash, and re-encrypts\r\nthe data blob.\r\nResumes the suspended process.\r\nbK2o.exe creates a new process and retrieves the logon session’s LUID\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 7 of 17\n\nTo navigate LSASS memory, bK2o.exe uses code signatures, represented as byte sequences in hexadecimal\r\nformat. These sequences correspond to known LSASS instructions, which serve as navigation points within the\r\nmemory.\r\nTo hinder static analysis and evade detection, bK2o.exe obfuscates code signatures and strings by constructing\r\nthem dynamically on the stack at runtime, instead of storing them as static data.\r\nbK2o.exe constructs the string lsasrv.dll on the stack\r\nbK2o.exe constructs the code signature 33 ff 41 89 37 4c 8b f3 […] on the stack\r\nFrom Operation Digital Eye to Tainted Love and Soft Cell\r\nWe identified two additional samples uploaded to malware sharing platforms that construct code signatures on the\r\nstack, which we refer to as wsx1.exe and wsx1.exe . Like bK2o.exe , both wsx.exe and wsx1.exe are\r\ncustom modified versions of Mimikatz and implement pass-the-hash functionality.\r\nSubstantial code segments in wsx.exe and wsx1.exe , which implement the construction of code signatures on\r\nthe stack, overlap with those in bK2o.exe , including identical mov instruction operand sizes and values. This\r\nsuggests that wsx.exe , wsx1.exe , and bK2o.exe are highly likely derived from the same source.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 8 of 17\n\nCode segment in bK2o.exe\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 9 of 17\n\nCode segment in wsx1.exe\r\nIn turn, we observed overlaps between wsx.exe , wsx1.exe , and mim221 components. mim221 is a versioned\r\nand well-maintained credential theft tool, also a custom modified version of Mimikatz, which SentinelLABS\r\nobserved in Operation Tainted Love — a campaign targeting telecommunication providers in the Middle East in\r\n2023.\r\nWe attributed Operation Tainted Love to a suspected Chinese cyberespionage group within the nexus of Granite\r\nTyphoon (formerly known as Gallium) and APT41, while acknowledging the possibility of tool sharing among\r\nChinese state-sponsored threat actors and the potential involvement of a shared vendor or digital quartermaster.\r\nWe assess that mim221 represents an evolution of tooling associated with Operation Soft Cell, such as\r\nsimplify_32.exe. Operation Soft Cell, which targeted telecommunication providers in 2017 and 2018, has been\r\nlinked to Granite Typhoon, and possible connections between the Soft Cell actors and APT41 have also been\r\nsuggested.\r\nmim221 has a multi-component architecture, with a single executable staging three components — pc.dll ,\r\nAddSecurityPackage64.dll , and getHashFlsa64.dll — using techniques such as decryption, injection, and\r\nreflective image loading. These components share several overlaps with bK2o.exe , wsx.exe , and wsx1.exe .\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 10 of 17\n\nTo hinder static analysis, some mim221 components also obfuscate strings by constructing them on the stack at\r\nruntime. Additionally, the mim221 components AddSecurityPackage64.dll and getHashFlsa64.dll implement\r\nerror logging similar to that of wsx.exe and wsx1.exe , including identical custom error messages, a consistent\r\noutput format, and the same English-language errors.\r\nError messages in mim221\r\nError messages in wsx.exe and wsx1.exe\r\nIn addition, RTTI (Run-Time Type Information) information stored in wsx.exe , wsx1.exe , and the mim221\r\ncomponent getHashFlsa64.dll reveals that classes with the same names are declared across these executables.\r\nWe have not observed these class names in open-source or publicly available tooling.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 11 of 17\n\nClass names (those present in more than one executable are highlighted in bold)\r\nmimCN | A Collection of China-Nexus APT Tools\r\nDue to the previously discussed overlaps between bK2o.exe (used in Operation Digital Eye), wsx.exe ,\r\nwsx1.exe , mim221 components (used in Operation Tainted Love), and simplify_32.exe (used in Operation\r\nSoft Cell), we collectively refer to this collection of tools as mimCN.\r\nThe mimCN samples bK2o.exe, wsx.exe, wsx1.exe, and mim221\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 12 of 17\n\nWe include in the mimCN tool collection not only the previously mentioned tools but also any other custom\r\nmodifications of Mimikatz that have overlaps with other mimCN executables, suggesting they may originate from\r\nthe same source. Such overlaps include shared code-signing certificates and the use of unique custom error\r\nmessages or obfuscation techniques.\r\nTo date, we have observed mimCN tools exclusively in the context of suspected Chinese APT activities. Although\r\nthe compilation timestamps of the mimCN samples observed in these intrusions could have been manipulated, the\r\nproximity of the timestamps to when the activities occurred suggests that they are likely authentic.\r\nOperation mimCN sample Compilation timestamp (UTC)\r\nDigital Eye bK2o.exe Thu May 30 08:47:56 2024\r\nTainted Love mim221 (pc.exe) Thu Jun 09 08:02:12 2022\r\nTainted Love mim221 (AddSecurityPackage64.dll) Thu Jun 09 08:01:46 2022\r\nTainted Love mim221 (pc.dll) Tue Jun 07 16:55:05 2022\r\nTainted Love mim221 (getHashFlsa64.dll) Fri May 27 20:56:26 2022\r\nSoft Cell simplify_32.exe Tue Nov 20 03:54:21 2018\r\nUse of mimCN samples\r\nFurther, unique usage instructions found in some mimCN samples, such as [ERROR]Please input command. eg,\r\n/cmd:xxx  and [ERROR]Please input ip. eg, /ip:xx.XXX.xx.x or /ip:xxx.com , suggest the involvement of a\r\ndedicated development team that is leaving instructions for a separate group of operators. Combined with the\r\npresence of overlapping mimCN samples across various intrusions attributed to China-nexus APT groups and\r\ndistributed over years, this suggests that mimCN is likely the product of an entity responsible for maintaining and\r\nprovisioning tools to multiple clusters within the Chinese APT ecosystem.\r\nAttribution Analysis\r\nWe assess that Operation Digital Eye was highly likely conducted by a China-nexus cluster with cyberespionage\r\nmotivations. The specific group responsible remains unclear due to the extensive sharing of malware, operational\r\nplaybooks, and infrastructure management processes among Chinese APT clusters. Our assessment is based on a\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 13 of 17\n\ncollective consideration of multiple indicators, including the malware, infrastructure, and techniques used,\r\nvictimology, and the timing of the activities.\r\nMalware\r\nA variant of the PHPsert webshell contains code comments in simplified Chinese. This suggests the potential\r\ninvolvement of Chinese-speaking developers. Further, the custom Mimikatz modification bK2o.exe used in\r\nOperation Digital Eye is part of the mimCN collection and shares implementation overlaps with other custom\r\nMimikatz modifications, suggesting a common origin. These tools have been observed exclusively in the context\r\nof suspected Chinese APT activities, such as Operation Soft Cell and Operation Tainted Love. Malware and\r\ntooling used in these operations have been associated with the suspected Chinese APT groups Granite Typhoon\r\nand APT41, and possible connections to other China-nexus groups, such as APT10 and Lucky Mouse have also\r\nbeen suggested.\r\nThe mimCN tool collection suggests the presence of a shared vendor or digital quartermaster responsible for the\r\nsustained development and provisioning of tools to groups within the Chinese APT ecosystem. This function is\r\nsuspected to play a significant role in the Chinese threat landscape. The I-Soon leak, which offers rare insight into\r\nChina’s cyberespionage activities, provides supporting evidence for the existence of digital quartermasters within\r\nthis landscape.\r\nInfrastructure\r\nWhile not exclusive to Chinese APT groups, the use of M247 infrastructure, as seen in Operation Digital Eye, has\r\nbeen common among them in recent years. One example is the M247 infrastructure attributed to the suspected\r\nChinese cluster STORM-0866 (also known as Red Dev 40), with which the Sandman APT group is associated.\r\nAdditionally, the use of Cloud services and resources located in geographic proximity to the targeted organizations\r\nin Operation Digital Eye suggests a carefully planned and targeted infrastructure management approach. In this\r\ncontext, we suspect the potential involvement of third-party entities tasked with administering and provisioning\r\ninfrastructure, a practice that has become increasingly common in the Chinese APT ecosystem in recent years.\r\nAbuse of Visual Studio Code\r\nOur visibility into threat actor activities suggests that the abuse of Visual Studio Code tunneling for C2 purposes\r\nwas relatively rare in the wild before Operation Digital Eye.\r\nPrevious research indicates that, starting in 2023, a suspected North Korean group has used Visual Studio Remote\r\nTunnels to maintain persistence in compromised networks. Additionally, in October 2024, Cyble released a report\r\ndocumenting unattributed activity in which threat actors distributed a Windows Shortcut (LNK) file to deploy\r\nVisual Studio Code and activate its tunneling feature to establish remote access.\r\nAs of this writing, the only publicly disclosed use of this technique around the time of Operation Digital Eye has\r\nbeen attributed to a suspected Chinese APT group. In September 2024, Unit 42 published a report on a campaign\r\ntargeting government entities in Southeast Asia, in which threat actors used Visual Studio Code as a backdoor. The\r\ncampaign was attributed to Stately Taurus (also known as Mustang Panda). The exact timeline of the campaign is\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 14 of 17\n\nunclear, with mid-August 2024 being the only reference point explicitly mentioned in the Unit 42 report. Based on\r\nthis, we suspect that Operation Digital Eye occurred prior to this activity.\r\nWe did not observe any overlaps in TTPs between Operation Digital Eye and the activity reported by Unit 42,\r\nexcept for the abuse of Visual Studio Code. We recognize the possibility that distinct Chinese APT clusters may\r\nshare operational playbooks that include leveraging Visual Studio Code for C2 purposes.\r\nTemporal Analysis\r\nOur analysis of timestamps marking the dates and times of operator activity in the targeted organizations showed\r\nthat all activities occurred on workdays (Monday to Friday). Additionally, converting the timestamps from their\r\noriginal time zones, Coordinated Universal Time (UTC) and Central European Summer Time (CEST, UTC+2), to\r\nChina Standard Time (CST, UTC+8) revealed that the operators were primarily active during typical working\r\nhours in China, mostly between 9 a.m. and 9 p.m. CST.\r\nThis suggests a potentially state-sanctioned operation. The ‘996’ work schedule (9 a.m. to 9 p.m. CST, six days a\r\nweek) has been common in China’s technology sector, but it was ruled illegal by the Supreme People’s Court in\r\n2021. As a result, state employees are almost certainly restricted to weekday work, typically between 9 a.m. and 9\r\np.m., aligning closely with our observations from the timestamp analysis.\r\nThe figure below shows the total number of connections established by the threat actors to Visual Studio Code\r\ntunnels throughout Operation Digital Eye, broken down by hour of the day. The data is presented in both the\r\noriginal time zone (CEST) and in China Standard Time (CST, CEST+6). We observed minimal to no activity\r\nbetween 10 p.m. and 9 a.m. CST, as well as between 11 a.m. and 1 p.m. CST, which aligns with the typical daily\r\nworking hours in China, including the midday lunch break.\r\nNumber of established connections to Visual Studio Code tunnels\r\nConclusions\r\nOperation Digital Eye highlights the persistent threat posed by Chinese cyberespionage groups to European\r\nentities, with these threat actors continuing to focus on high-value targets. The campaign underscores the strategic\r\nnature of this threat, as breaching organizations that provide data, infrastructure, and cybersecurity solutions to\r\nother industries gives the attackers a foothold in the digital supply chain, enabling them to extend their reach to\r\ndownstream entities.\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 15 of 17\n\nThe abuse of Visual Studio Code Remote Tunnels in this campaign illustrates how Chinese APT groups often rely\r\non practical, solution-oriented approaches to evade detection. By leveraging a trusted development tool and\r\ninfrastructure, the threat actors aimed to disguise their malicious activities as legitimate. The exploitation of\r\nwidely used technologies, which security teams may not scrutinize closely, presents a growing challenge for\r\norganizations. For defenders, this calls for a reevaluation of traditional security approaches and the\r\nimplementation of robust detection mechanisms to identify such evasive techniques in real time.\r\nLateral movement capabilities observed in Operation Digital Eye, linked to custom Mimikatz modifications used\r\nin previous campaigns, indicate the potential involvement of shared vendors or digital quartermasters and the\r\nimportant function they serve in the Chinese APT ecosystem. These centralized entities provide continuity and\r\nadaptability to cyberespionage operations, equipping threat actors with consistently updated tools and evolving\r\ntactics as they target new victims.\r\nIndicators of Compromise\r\nSHA1 Hashes\r\nValue Note\r\n0be9dd709d7d68887a92c793881dd4a010796e95 The CreateDump tool (do.exe)\r\n213f06ed5ac9e688816b4bbe73bf507994949964 The GetUserInfo tool\r\n289f3bfe297923507cf4c26ca500ae01819c6a95 The local.exe tool\r\n2e2cf8a4a0e7decceb8e22536b13173479da0d13 PHPsert variant\r\n3035d8846d7a9f309f2d24daba6ac33ad99524fc PHPsert variant\r\n399776991a094e1ee78b2a915bf4491e67c04ec7 PHPsert variant\r\n3a688c844259822c51ceb3aea508303c4a654eb3 PHPsert variant\r\n4d6947a19dd9a420c22fee39fac8b4df95a47569 PHPsert variant\r\n63cea28d927f8e629377399fa08a9cb4fd0c6238 PHPsert variant\r\n6549e50645bb1c02e4972651d335a75cb6d5aa74 PHPsert variant\r\n7941909fd5c1277c6f7baf21e484c9e59ea454ee mimCN (bK2o.exe)\r\n7cb7bcb9187f8faf47fd77cf1213ab3fe2350a77 mimCN (simplify_32.exe)\r\n82b1cb9b69d5f05bb20852322fb3c2c00bce9134 mimCN (wsx.exe)\r\n83ca53c95705352ff60149b0b17a686956e23172 PHPsert variant\r\na9d6d0c47728094feb794ad7e25c253737633140 Visual Studio Code (code.exe)\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 16 of 17\n\nb2811cb4d0afe13d2722093039a72588c348dcfd PHPsert variant\r\nc0e03fce8f7f51e91da79f773aa870f0897b0ee2 PHPsert variant\r\ncb6726fb3f7952ede04ed22d2c72389255991827 PHPsert variant\r\nd57fa43944676c56e66f4b20ffa3d82048e354fd PHPsert variant\r\ne572380ab95c4ab5a87f701d4654d3386911b387 do.bat\r\ne8a8d8fa7122c1592a314343b45bac2c213bb57d mimCN (wsx1.exe)\r\nIP Addresses\r\nValue Note\r\n146.70.161[.]78 Server used for initial access (SQL injection attack)\r\n185.76.78[.]117 C2 server (PHPsert webshells)\r\n20.103.221[.]187 Visual Studio Code dev tunnel\r\n4.232.170[.]137 C2 server (SSH access)\r\nDomains\r\nValue Note\r\n[REDACTED].euw.devtunnels[.]ms Visual Studio Code dev tunnel\r\nSource: https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nhttps://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "references": [ "https://www.sentinelone.com/labs/operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels/" ], "report_names": [ "operation-digital-eye-chinese-apt-compromises-critical-digital-infrastructure-via-visual-studio-code-tunnels" ], "threat_actors": [ { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "03e8b0b5-c7fb-424a-a67b-f40c3ba3f51c", "created_at": "2023-10-14T02:03:14.454929Z", "updated_at": "2026-04-10T02:00:04.882917Z", "deleted_at": null, "main_name": "Sandman", "aliases": [], "source_name": "ETDA:Sandman", "tools": [ "DreamLand", "LuaDream" ], "source_id": "ETDA", "reports": null }, { "id": "7bf3ffe5-09ba-4378-8ea4-a6d748a494fd", "created_at": "2022-10-25T15:50:23.264584Z", "updated_at": "2026-04-10T02:00:05.334294Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "GALLIUM", "Granite Typhoon" ], "source_name": "MITRE:GALLIUM", "tools": [ "ipconfig", "cmd", "China Chopper", "PoisonIvy", "at", "PlugX", "PingPull", "BlackMould", "Mimikatz", "PsExec", "HTRAN", "NBTscan", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "6fde2d10-cf90-4eae-a249-838a36f76075", "created_at": "2023-12-19T02:00:06.26466Z", "updated_at": "2026-04-10T02:00:03.498264Z", "deleted_at": null, "main_name": "Sandman APT", "aliases": [], "source_name": "MISPGALAXY:Sandman APT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "aea3239c-a222-4b7f-8ac0-349222078817", "created_at": "2024-12-28T02:01:54.867096Z", "updated_at": "2026-04-10T02:00:04.840444Z", "deleted_at": null, "main_name": "Operation Tainted Love", "aliases": [], "source_name": "ETDA:Operation Tainted Love", "tools": [ "Mimikatz", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "6d7e8ca8-d5a4-4514-baef-b208b607e48e", "created_at": "2024-12-28T02:01:54.84356Z", "updated_at": "2026-04-10T02:00:04.798594Z", "deleted_at": null, "main_name": "Operation Digital Eye", "aliases": [], "source_name": "ETDA:Operation Digital Eye", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PHPsert", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3b8b4ed7-e8cc-4a3a-b14d-c8ebf87c0f9c", "created_at": "2023-01-06T13:46:39.062729Z", "updated_at": "2026-04-10T02:00:03.200784Z", "deleted_at": null, "main_name": "Operation Soft Cell", "aliases": [], "source_name": "MISPGALAXY:Operation Soft Cell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "9faf32b7-0221-46ac-a716-c330c1f10c95", "created_at": "2022-10-25T16:07:23.652281Z", "updated_at": "2026-04-10T02:00:04.702108Z", "deleted_at": null, "main_name": "Gallium", "aliases": [ "Alloy Taurus", "G0093", "Granite Typhoon", "Phantom Panda" ], "source_name": "ETDA:Gallium", "tools": [ "Agentemis", "BlackMould", "CHINACHOPPER", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Gen:Trojan.Heur.PT", "Gh0stCringe RAT", "HTran", "HUC Packet Transmit Tool", "LaZagne", "Mimikatz", "NBTscan", "PingPull", "Plink", "Poison Ivy", "PsExec", "PuTTY Link", "QuarkBandit", "Quasar RAT", "QuasarRAT", "Reshell", "SPIVY", "SinoChopper", "SoftEther VPN", "Sword2033", "WCE", "WinRAR", "Windows Credential Editor", "Windows Credentials Editor", "Yggdrasil", "cobeacon", "nbtscan", "netcat", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c87ee2df-e528-4fa0-bed6-6ed29e390688", "created_at": "2023-01-06T13:46:39.150432Z", "updated_at": "2026-04-10T02:00:03.231072Z", "deleted_at": null, "main_name": "GALLIUM", "aliases": [ "Red Dev 4", "Alloy Taurus", "Granite Typhoon", "PHANTOM PANDA" ], "source_name": "MISPGALAXY:GALLIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434911, "ts_updated_at": 1775792221, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5bed7c2b59998af1daf690c5e860d016c9b50e47.pdf", "text": "https://archive.orkl.eu/5bed7c2b59998af1daf690c5e860d016c9b50e47.txt", "img": "https://archive.orkl.eu/5bed7c2b59998af1daf690c5e860d016c9b50e47.jpg" } }