{ "id": "7eab1d46-509b-4576-b72e-1dfbebb4e253", "created_at": "2026-04-06T00:12:09.182734Z", "updated_at": "2026-04-10T03:36:33.653937Z", "deleted_at": null, "sha1_hash": "a3e094ec2f6c68bbe821f7f187f9d1f4e6aa7be0", "title": "Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike Server Leveraging Trusted Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4229511, "plain_text": "Golang Beacons and VS Code Tunnels: Tracking a Cobalt Strike\r\nServer Leveraging Trusted Infrastructure\r\nPublished: 2025-01-07 ยท Archived: 2026-04-05 18:51:02 UTC\r\nCommand and control (C2) infrastructure is vital for communicating with compromised hosts, enabling threat\r\nactors to exfiltrate data, move laterally, and maintain access. As defenders strengthen traditional detection\r\nmethods, adversaries have turned to creative techniques to control implants, often leveraging trusted platforms to\r\nevade scrutiny.\r\nIn late November, our research team identified a Cobalt Strike server displaying a well-known watermark and a\r\nunique TLS certificate, a pivot point shared by 50 other IPs. Shortly thereafter, a Golang-compiled beacon tied to\r\nthe server was uploaded to multiple malware sandbox platforms. Further analysis revealed the beacon's\r\ncommunication using Visual Studio Code dev tunnels-an uncommon tactic increasingly observed among threat\r\nactors leveraging trusted infrastructure to evade detection.\r\nKey Findings:\r\nA Cobalt Strike server using a unique TLS certificate and an oft-seen watermark.\r\nA Golang-compiled beacon communicating with the initial server and leveraging Visual Studio Code\r\nTunnels.\r\nAdditional Azure-hosted infrastructure, though its connection to the initial server, remains uncertain due to\r\nshared hosting.\r\nIn this post, we explore these findings in-depth, offering defenders key indicators to detect and mitigate similar\r\nactivity in their environments.\r\nOur research began with the identification of a server hosted at 189.1.231[.]190 , located in Hong Kong and\r\noperating on the Huawei Cloud network. First observed on November 20th, Hunt scans detected two Cobalt Strike\r\nservers on ports 443 and 1001.\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 1 of 11\n\nFigure 1: IP overview of the team server that caught our attention (Hunt).\r\nLooking at the beacon configuration for port 443 (readily available by clicking on the \"i\"), showed that under the\r\nendpoints field was a devtunnels.ms domain-a key element we will revisit later in this post.\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 2 of 11\n\nFigure 2: Snippet of beacon configuration.\r\nPort 1001, in turn, displayed a similar configuration, with its /sugrec endpoint also being used for C2\r\ncommunication. Both team servers use the 100000 watermark-a widely recognized identifier within Cobalt Strike\r\ndeployments. While rare watermarks have previously helped uncover unique threat activity clusters, as discussed\r\nin our earlier research, this case stands apart.\r\nAs seen in Figure 1, the Associations tab lists 76 additional team servers using the same watermark. This\r\nwidespread adoption reduces the likelihood of a targeted or exclusive operation. However, it's possible that threat\r\nactors deliberately chose this identifier to blend into the noise, exploiting the assumption that widely used\r\nconfigurations may not attract the same level of scrutiny as rarer indicators.\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 3 of 11\n\nFigure 3: Snippet of associated team servers sharing the 100000 watermark (Hunt).\r\nAdditionally, both servers employ a self-signed TLS certificate with the following SHA-256 hash:\r\nEB5AC849E783E3C6EDDCD5619CA230B6D8E218E3C7326E0148C21EEF3847FF69\r\nThe full certificate details are shown below:\r\nCommon Name: US\r\nCountry: CN\r\nOrganization: Software\r\nOrganizational Unit: qq[.]com\r\nLocation: Somewhere\r\nState: Cyberspace\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 4 of 11\n\nFigure 4: Certificate data for the qq[.] com-themed certificate (Hunt).\r\nHunt scan data indicates this certificate is currently used by 59 additional IP addresses across the internet.\r\nFigure 5: Snippet of the associated certificates (Hunt).\r\nThe Golang Beacon: Putting the Pieces Together\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 5 of 11\n\nThe malicious file, yqWiQTrBWj.exe (SHA-256:\r\nc717d8b26de612e15015cd55940215be336963b6062196f9d847912b98582627), was uploaded to multiple\r\nmalware sandbox platforms and flagged by several vendors as a Cobalt Strike beacon. For this analysis, we focus\r\non the results obtained from VirusTotal and Hatching Triage.\r\nThe Role of Golang in Offensive Operations\r\nGolang has emerged as a favored language in offensive operations due to its cross-platform compatibility and\r\nease of use. Tools like Geacon, an open-source project that implements Cobalt Strike functionality in Go, have\r\nbeen observed in numerous network intrusions. However, we could not establish a direct link between this sample\r\nand Geacon, leaving its exact origins uncertain.\r\nBehavioral Analysis\r\nDespite sparse results from VirusTotal and Triage, we were able to identify some behavioral patterns:\r\n1. Environment Checks: Upon execution, the malware calls the GetCommandLine API to determine\r\nwhether it is running in a virtualized environment.\r\n2. Host Profiling: The file collects various system details, including the operating system version, hosts\r\nfile, computer name, and machine timezone. This data is likely exfiltrated to the attacker, who can then\r\ndecide whether the host warrants further exploitation.\r\nAmong the programming-related artifacts in the sample, a PDB path was uncovered:\r\nD:/CS4.5/cs4.5_dabaige_client/script/bypassHR/exe/result/Heapalloc.go\r\nThe CS4.5 reference likely corresponds to Cobalt Strike version 4.5, which aligns with the versions observed on\r\nthe two identified team servers. This version was officially released on December 14, 2021.\r\nNetwork Connections\r\nAs part of its network communication, the executable makes an HTTP request to:\r\nhttps://189.1.231[.]190:1001/sugrec\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 6 of 11\n\nFigure 6: Network communication results in VirusTotal showing a request to the initial team server.\r\nNavigating to this URL in a controlled analysis environment produced a JSON-formatted message:\r\n{\"err_no\":0, \"errmsg\":\"\",\"queryid\":\"0x417943670752ec\"}\r\n \r\nCopy\r\nFigure 7: JSON-formatted server response to the /sugrec endpoint.\r\nAnother GET request is made to https://lcjp4gwb-1001.asse[.]devtunnels.ms/_/passApi/js/wrapper.js .\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 7 of 11\n\nWhile the specifics of the above will be covered in the next section, the domain resolves to IP address\r\n20.197.80[.]108, which is hosted on Microsoft's Azure infrastructure in Southeast Asia.\r\nThe server responds with a 200 OK status, a snippet of which can be found below:\r\nFigure 8: Snippet of the HTTP response to the wrapper.js endpoint of the tunnel (Triage).\r\nWhen accessed directly, the URL redirects to an overlay warning page, resembling typical phishing protection\r\nmeasures. However, embedded within the page's content is a timestamp indicating when the tunnel was created. In\r\nour case, the tunnel was established less than 24 hours prior to the date of writing.\r\n*There are ways to circumvent the interstitial page; however, those methods are best kept for a different post.\r\nThis timestamp offers valuable insight into the operational timeline, revealing when the tunnel was established\r\nand potentially indicating the campaign's stage within its lifecycle. Such information can help defenders identify\r\nactive campaigns early, assess their potential scale, and prioritize mitigation efforts.\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 8 of 11\n\nFigure 9: Microsoft overlay page when navigating to the /wrapper.js endpoint.\r\nTunneling With Visual Studio Code\r\nInitially designed to facilitate secure remote access for developers, Visual Studio (VS) Code tunnels have been\r\nrepurposed by threat actors as command and control (C2) channels, exploiting their integration with Microsoft\r\nAzure infrastructure to blend malicious activity into legitimate traffic.\r\nRecent reporting indicates this tactic is not going anywhere anytime soon. In Operation Digital Eye, SentinelOne\r\nattributed the use of VS Code tunnels to purported Chinese APT actors targeting critical infrastructure. Similarly,\r\nUnit 42's analysis of the Stately Taurus campaign revealed the weaponization of these tunnels to execute arbitrary\r\ncommands and deliver additional payloads. Lastly, researchers from Itochu Cyber \u0026 Intelligence Inc. presented at\r\nJSAC 2024 on a Tropic Trooper campaign that leveraged a RAT in conjunction with VS Code tunnels to infiltrate\r\nnetworks.\r\nQuerying the IP address hosting the Visual Studio dev tunnel in Hunt reveals a handful of domains suggesting\r\nadditional tunnels may be in use. Among these, two domains stand out as different from the others. However, it's\r\nimportant to note that this server is shared among multiple users, and the domains are not necessarily connected to\r\nthe activity described in this post.\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 9 of 11\n\nFigure 10: Domains resolving to 20.197.80[.]108 in Hunt. Note the two domains (teamsstaging, and xn-)\r\nThe SSL history provides further insights, showing a pattern of certificates that can be used for hunting similar\r\ninfrastructure using the Common Name \"Kubernetes Ingress Controller Fake Certificate,\" a detail previously\r\nreported by Chris Duggan (@TLP_R3D) on X.\r\nFigure 11: SSL History for the Visual Studio dev tunnel. (Hunt).\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 10 of 11\n\nDev Tunnels include an inspect feature, allowing users to analyze tunnel traffic-a capability often used for\r\ndebugging and connection management. Attempting to access the page for our suspect tunnel at\r\nhttps://lcjp4gwb-1001-inspect[.]asse.devtunnels.ms redirects to a Microsoft login page.\r\nThis strongly suggests that the actor(s) used a Microsoft account (of which we do not have information on) to\r\ncreate and manage the tunnel. Below is a partially redacted example of the redirect response.\r\nhttps://login.microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=[REDACTED]\u0026redirect_uri=https%3A%2F%2Fglobal.rel.\r\n \r\nCopy\r\nWhile we did not uncover evidence of a Visual Studio Code executable embedded directly within the beacon or\r\nelsewhere on the attacker's server, the presence of these artifacts strongly reinforces the use of the software's\r\ntunnels as part of the attack infrastructure.\r\nCurrently, there is no indication of a particular target associated with the malicious beacon. However, we will\r\ncontinue to monitor for any changes or developments that may provide further clarity on the operation's intent.\r\nConclusion\r\nThe activity identified in this post highlights how threat actors are leveraging trusted platforms like Visual Studio\r\nCode tunnels to obscure malicious activity. From a Cobalt Strike server with a widely seen watermark and shared\r\nTLS certificates to a Golang-compiled beacon, our findings illustrate the lengths adversaries will go to in order to\r\n\"blend in\" and accomplish their goals.\r\nAs we continue to investigate the abuse of these remote tunnels, security teams can take an initial step by\r\nmonitoring traffic to known dev tunnel domains. Additionally, scrutinizing or restricting their use in environments\r\nwhere Visual Studio Code is not operational can help reduce the risk of undetected activity. Proactive measures\r\nlike these offer an opportunity to improve visibility into adversarial tactics leveraging trusted infrastructure.\r\nSource: https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nhttps://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://hunt.io/blog/golang-beacons-vs-code-tunnels-tracking-cobalt-strike" ], "report_names": [ "golang-beacons-vs-code-tunnels-tracking-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "93542ae8-73cb-482b-90a3-445a20663f15", "created_at": "2022-10-25T16:07:24.058412Z", "updated_at": "2026-04-10T02:00:04.853499Z", "deleted_at": null, "main_name": "PKPLUG", "aliases": [ "Stately Taurus" ], "source_name": "ETDA:PKPLUG", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "61ea51ed-a419-4b05-9241-5ab0dbba25fc", "created_at": "2023-01-06T13:46:38.354607Z", "updated_at": "2026-04-10T02:00:02.939761Z", "deleted_at": null, "main_name": "APT23", "aliases": [ "BRONZE HOBART", "G0081", "Red Orthrus", "Earth Centaur", "PIRATE PANDA", "KeyBoy", "Tropic Trooper" ], "source_name": "MISPGALAXY:APT23", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bef7800a-a08f-4e21-b65c-4279c851e572", "created_at": "2022-10-25T15:50:23.409336Z", "updated_at": "2026-04-10T02:00:05.319608Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ], "source_name": "MITRE:Tropic Trooper", "tools": [ "USBferry", "ShadowPad", "PoisonIvy", "BITSAdmin", "YAHOYAH", "KeyBoy" ], "source_id": "MITRE", "reports": null }, { "id": "6d7e8ca8-d5a4-4514-baef-b208b607e48e", "created_at": "2024-12-28T02:01:54.84356Z", "updated_at": "2026-04-10T02:00:04.798594Z", "deleted_at": null, "main_name": "Operation Digital Eye", "aliases": [], "source_name": "ETDA:Operation Digital Eye", "tools": [ "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "PHPsert", "mim221" ], "source_id": "ETDA", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "578f8e62-2bb4-4ce4-a8b7-6c868fa29724", "created_at": "2022-10-25T16:07:24.344358Z", "updated_at": "2026-04-10T02:00:04.947834Z", "deleted_at": null, "main_name": "Tropic Trooper", "aliases": [ "APT 23", "Bronze Hobart", "Earth Centaur", "G0081", "KeyBoy", "Operation Tropic Trooper", "Pirate Panda", "Tropic Trooper" ], "source_name": "ETDA:Tropic Trooper", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "ByPassGodzilla", "CHINACHOPPER", "CREDRIVER", "China Chopper", "Chymine", "Darkmoon", "Gen:Trojan.Heur.PT", "KeyBoy", "Neo-reGeorg", "PCShare", "POISONPLUG.SHADOW", "Poison Ivy", "RoyalRoad", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Swor", "TSSL", "USBferry", "W32/Seeav", "Winsloader", "XShellGhost", "Yahoyah", "fscan", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "86182dd7-646c-49c5-91a6-4b62fd2119a7", "created_at": "2025-08-07T02:03:24.617638Z", "updated_at": "2026-04-10T02:00:03.738499Z", "deleted_at": null, "main_name": "BRONZE HOBART", "aliases": [ "APT23", "Earth Centaur ", "KeyBoy ", "Pirate Panda ", "Red Orthrus ", "TA413 ", "Tropic Trooper " ], "source_name": "Secureworks:BRONZE HOBART", "tools": [ "Crowdoor", "DSNGInstaller", "KeyBoy", "LOWZERO", "Mofu", "Pfine", "Sepulcher", "Xiangoop Loader", "Yahaoyah" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434329, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a3e094ec2f6c68bbe821f7f187f9d1f4e6aa7be0.pdf", "text": "https://archive.orkl.eu/a3e094ec2f6c68bbe821f7f187f9d1f4e6aa7be0.txt", "img": "https://archive.orkl.eu/a3e094ec2f6c68bbe821f7f187f9d1f4e6aa7be0.jpg" } }