C0061: Operation Digital Eye
Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]
Analyst context for executives and security teams
Operation Digital Eye is material because ATT&CK describes a 2024 campaign against business-to-business IT service providers using Visual Studio Code tunnels for command and control, web shell activity, credential access, discovery, and lateral movement behaviors. For leaders, the key issue is not only one intrusion path; it is whether trusted IT service environments can be used as durable access points while activity blends into legitimate developer, admin, and remote-management workflows.
Executive priority
Prioritize validation around exposed applications, developer tunneling tools, privileged credential protection, and lateral movement controls. This campaign is especially relevant to organizations that provide or depend on IT services, because compromise of service-provider infrastructure can create operational, customer-trust, and audit-evidence questions even when ATT&CK does not provide customer-specific exposure details.
Technical view
ATT&CK provides no campaign-specific detection text, so defenders should map coverage from the related behaviors: exploitation of public-facing applications, PHP web shells/PHPsert, IDE tunneling for C2, Windows command shell and service execution, Mimikatz/LSASS/SAM credential access, local account and group discovery, remote system discovery, RDP and pass-the-hash lateral movement, SSH authorized_keys persistence, Windows service persistence, file deletion, and legitimate-name/location masquerading. The campaign object has no platforms specified; related techniques span Windows, Linux, macOS, ESXi, IaaS, containers, and network devices, so scope must be confirmed against local assets.
Likely telemetry
- Internet-facing application, web server, CMS, and database access/error logs
- Web content and file-integrity monitoring for unexpected PHP or web shell artifacts
- Endpoint process creation, command-line, parent-child process, and script execution telemetry
- Windows service creation/modification and service-control execution records
- Credential-access indicators such as LSASS access, SAM/registry access, and Mimikatz-like activity
Detection direction
- Establish where Visual Studio Code tunnels or other IDE tunneling are legitimate, then alert on unauthorized hosts, service accounts, servers, or unusual destinations using those channels.
- Correlate public-facing application anomalies with web shell creation, PHP execution, command shell activity, and outbound C2-like sessions.
- Tune credential-dumping detections around LSASS/SAM access and Mimikatz-related behaviors while accounting for approved security testing or administration tools.
- Correlate discovery commands, local group/account enumeration, RDP logons, service execution, and pass-the-hash indicators into lateral-movement storylines rather than isolated alerts.
- Review blind spots where developer tools, remote administration, web content changes, or service-provider workflows are excluded from monitoring because they are considered normal.
Mitigation priorities
- Reduce exposure and patch/misconfiguration risk for public-facing applications and supporting databases or web platforms.
- Restrict and monitor IDE tunneling and remote-development capabilities on production and service-provider systems.
- Harden credential access paths: protect LSASS, limit local administrator reuse, and monitor SAM/registry access and credential-dumping tools.
- Constrain lateral movement with least privilege, RDP governance, segmentation, and privileged-account controls.
- Monitor and control persistence paths including web shells, SSH authorized_keys, and Windows service creation or modification.
Analyst notes and limits
The supplied ATT&CK record identifies suspected PRC-nexus actors, targeting of B2B IT service providers in Southern Europe during June and July 2024, use of Visual Studio Code tunnels for C2, custom lateral movement capabilities, and tooling overlap with prior China-nexus campaigns. Relationship context supplies the practical defensive map, especially around web shells, credential access, IDE tunneling, and lateral movement.
No official detection text, tactics, or campaign-level platforms are provided. Platform and telemetry recommendations are inferred only from the supplied related techniques and software, so organizations must validate applicability against their own assets, tool usage, logging coverage, and service-provider operating model.
Operation Digital Eye
Operation Digital Eye was conducted in June and July of 2024 by suspected People's Republic of China (PRC)-nexus threat actors targeting business-to-business IT service providers in Southern Europe. Operation Digital Eye activity included the use of Visual Studio Code tunnels for command and control (C2) and custom lateral movement capabilities. Overlaps in tooling between Digital Eye and previous China-nexus campaigns, Operation Soft Cell and Operation Tainted Love, indicate the potential use of shared vendors or digital quartermasters.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1505.003 | Web Shell Sub-technique | During Operation Digital Eye, threat actors deployed a PHP-based webshell to maintain persistent access.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | During Operation Digital Eye, threat actors created a service named Visual Studio Code Service to run Visual Studio code.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | During Operation Digital Eye, threat actors used the local language of targeted organizations to disguise file system activity.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1106 | Native API | During Operation Digital Eye, threat actors used native API such as `GetUserInfo`.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1087.001 | Local Account Sub-technique | During Operation Digital Eye, threat actors used the local.exe tool to view local account information.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | During Operation Digital Eye, threat actors used `reg save` to retrieve credentials from the Security Account Manager (SAM) database.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During Operation Digital Eye, threat actors targeted memory from the LSASS process to extract credentials.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1018 | Remote System Discovery | During Operation Digital Eye, threat actors used Ping for reconnaissance.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1569.002 | Service Execution Sub-technique | During Operation Digital Eye, threat actors used the winsw tool to deploy a Visual Studio code executable as a Windows service.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1190 | Exploit Public-Facing Application | During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1591 | Gather Victim Org Information | During Operation Digital Eye, threat actors concealed malicious activity by using terms that aligned with the technological context of the targeted organization.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1665 | Hide Infrastructure | During Operation Digital Eye, threat actors used public Cloud infrastructure to mask malicious activity.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1098.004 | SSH Authorized Keys Sub-technique | During Operation Digital Eye, threat actors used SSH access enabled by authorized_keys files for remote execution.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During Operation Digital Eye, threat actors moved laterally using RDP.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1219.001 | IDE Tunneling Sub-technique | During Operation Digital Eye, threat actors created Visual Studio Code dev tunnels to access targeted endpoints through the browser-based version of Visual Studio Code.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1588.002 | Tool Sub-technique | During Operation Digital Eye, threat actors used third party tools including custom implementations of Mimikatz.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Operation Digital Eye, threat actors deleted files delivered to compromised hosts, often named with the pattern do.* such as do.exe.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1069.001 | Local Groups Sub-technique | During Operation Digital Eye, threat actors used the local.exe tool to view group memberships.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation Digital Eye, threat actors used `cmd.exe` as a default method of execution for a custom version of Mimikatz named bK2o.exe.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During Operation Digital Eye, threat actors attempted to make filenames appear legitimate by tailoring them to the victim organization.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1033 | System Owner/User Discovery | During Operation Digital Eye, threat actors used `GetUserInfo` to identify current user information.Citationsentinelone operationDigitalEye Dec 2024 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | During Operation Digital Eye, threat actors used a pass-the-hash capability to move laterally.Citationsentinelone operationDigitalEye Dec 2024 |
Groups, software, and campaigns
S0097: Ping
S0002: Mimikatz
S0225: sqlmap
S9028: PHPsert
PHPsert is a webshell used to execute PHP code that has been in use since at least 2023 against targets in Japan, Singapore, Peru, Taiwan, Iran, Republic of Korea, and the Philippines. PHPsert is not typically deployed as a standalone but integrated into web content such as text editors and content management systems.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ba63a4627c6e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
sentinelone operationDigitalEye Dec 2024
Aleksandar Milenkoski, Luigi Martire. (2024, December 10). Operation Digital Eye | Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels. Retrieved February 27, 2025.
Open source URL -
[2]
mitre-attack C0061Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.