1. Home
  2. Campaigns
  3. Operation Digital Eye

Operation Digital Eye

Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]

ID: C0061
First Seen:  June 2024 [1]
Last Seen:  July 2024 [1]
Version: 1.0
Created: 19 April 2026
Last Modified: 24 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

During Operation Digital Eye, threat actors used the local.exe tool to view local account information.[1]
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

During Operation Digital Eye, threat actors used SSH access enabled by authorized_keys files for remote execution.[1]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

During Operation Digital Eye, threat actors used cmd.exe as a default method of execution for a custom version of Mimikatz named bK2o.exe.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

During Operation Digital Eye, threat actors created a service named Visual Studio Code Service to run Visual Studio code.[1]
Enterprise T1190 Exploit Public-Facing Application

During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers.[1]
Enterprise T1591 Gather Victim Org Information

During Operation Digital Eye, threat actors concealed malicious activity by using terms that aligned with the technological context of the targeted organization.[1]
Enterprise T1665 Hide Infrastructure

During Operation Digital Eye, threat actors used public Cloud infrastructure to mask malicious activity.[1]
Enterprise T1070 .004 Indicator Removal: File Deletion

During Operation Digital Eye, threat actors deleted files delivered to compromised hosts, often named with the pattern do.* such as do.exe.[1]
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

During Operation Digital Eye, threat actors attempted to make filenames appear legitimate by tailoring them to the victim organization.[1]
Enterprise T1106 Native API

During Operation Digital Eye, threat actors used native API such as GetUserInfo.[1]
Enterprise T1588 .002 Obtain Capabilities: Tool

During Operation Digital Eye, threat actors used third party tools including custom implementations of Mimikatz.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

During Operation Digital Eye, threat actors targeted memory from the LSASS process to extract credentials.[1]
.002 OS Credential Dumping: Security Account Manager

During Operation Digital Eye, threat actors used reg save to retrieve credentials from the Security Account Manager (SAM) database.[1]
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

During Operation Digital Eye, threat actors used the local.exe tool to view group memberships.[1]
Enterprise T1219 .001 Remote Access Tools: IDE Tunneling

During Operation Digital Eye, threat actors created Visual Studio Code dev tunnels to access targeted endpoints through the browser-based version of Visual Studio Code.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

During Operation Digital Eye, threat actors moved laterally using RDP.[1]
Enterprise T1018 Remote System Discovery

During Operation Digital Eye, threat actors used Ping for reconnaissance.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

During Operation Digital Eye, threat actors deployed a PHP-based webshell to maintain persistent access.[1]
Enterprise T1614 .001 System Location Discovery: System Language Discovery

During Operation Digital Eye, threat actors used the local language of targeted organizations to disguise file system activity.[1]
Enterprise T1033 System Owner/User Discovery

During Operation Digital Eye, threat actors used GetUserInfo to identify current user information.[1]
Enterprise T1569 .002 System Services: Service Execution

During Operation Digital Eye, threat actors used the winsw tool to deploy a Visual Studio code executable as a Windows service.[1]
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

During Operation Digital Eye, threat actors used a pass-the-hash capability to move laterally.[1]

Software

ID Name Description
S0002 Mimikatz

During Operation Digital Eye, threat actors used custom implementations of Mimikatz.[1]
S9028 PHPsert

During Operation Digital Eye, threat actors deployed PHPsert to execution and to maintain access.[1]
S0097 Ping

During Operation Digital Eye, threat actors used Ping for reconnaissance.[1]
S0225 sqlmap

During Operation Digital Eye, threat actors used (LinkdById: S0225) to automate SQL injection.[1]

References

  1. Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.