hunting-off-the-red-banner-1

Exposing the Espionage Tactics of China-aligned Threat Actor TA415

China-aligned threat group TA415 has shifted tactics, leveraging Visual Studio Code Remote Tunnels to maintain covert access during espionage campaigns tied to U.S.–China economic relations. This represents a shift from traditional webshells and backdoors to using legitimate developer tools as entry points. The risk is not limited to government or policy targets—any business engaged in trade, manufacturing, or research with exposure to U.S.–China commerce could be in scope.

The business impact of these tactics is profound. Stolen intellectual property, disrupted negotiations, and compromised email systems translate into financial loss, reputational damage, and weakened competitive position. Imagine allowing an outside contractor to use your office Wi-Fi for “development work,” only to find they left a hidden remote access tunnel that anyone could enter. That’s the danger TA415 poses with VS Code Remote Tunnels.

Organizations cannot assume espionage groups only target governments. Supply chains, think tanks, and multinational enterprises are equally attractive. Leadership teams must ensure security strategy accounts for adversaries who repurpose trusted tools into attack channels. The question for executives is not “Are we a target?” but “What would the consequences be if we were?”

Hunting Controls & Observations

Observing the behaviors associated with fake CAPTCHA pages requires looking at telemetry from multiple sources, as the attack chain spans from initial email delivery to web browsing and finally to the potential for credential exfiltration.

  • Endpoint EDR/AV Telemetry: This is the most critical source. Look for process creation events, especially those involving python[.]exe or code[.]exe (the VS Code executable) being spawned from unusual parent processes like a malicious LNK file. Monitor for command-line arguments that contain remote access parameters or file paths indicating a scheduled task creation.

  • OS-level Event Logs (Windows Security): Event ID 4688 (a new process has been created) is crucial. Monitor for the creation of cmd[.]exe or powershell[.]exe with command-line arguments that download or execute suspicious files. Also, look for scheduled task creation events (Event ID 4698) which would show the schtasks[.]exe command with a new task being registered for persistence.

  • Network logs (DNS, proxy, web gateway): Monitor for connections to domains associated with VS Code remote tunnels (*.tunnels.api.visualstudio[.]com) or Google APIs (sheets.googleapis[.]com, calendar.googleapis[.]com) that are initiated from non-standard systems, such as an end-user workstation that has not been approved for developer tools.

  • Cloud provider audit logs (Azure): If the organization uses Azure, monitor for the creation of new schtasks or other persistence mechanisms. The AzureActivity table in Log Analytics can be used to monitor for administrative actions taken by potentially compromised credentials.


Additional observations of the attack included the following indicators:

  • Command-line use of code tunnel --accept-server-license-terms.
  • Network connections to Visual Studio tunnel endpoints from non-dev workstations.
  • Scheduled tasks or scripts re-establishing tunnels after reboot.


MITRE Enterprise ATT&CK Tactics and Techniques

The Static Tundra methodology aligns with several MITRE ATT&CK techniques, focusing on persistence and stealthy data exfiltration rather than noisy, destructive attacks.

Initial Access (TA0001):

  • T1566.001: Spearphishing Attachment: Users receive a password-protected .zip archive via email. The password is often provided in the email body itself.
  • T1204.002: Malicious File: The archive contains a malicious LNK file designed to execute a hidden PowerShell script.

Execution (TA0002):

  • T1059.001: PowerShell Execution: A PowerShell command is used to download and execute a Python loader script (whirlcoil[.]py).

Persistence (TA0003):

  • T1053.005: Scheduled Task: The Python loader creates a scheduled task for persistence, ensuring the remote access tool (VS Code remote tunnel) runs on a regular interval or upon system restart.

Defense Evasion (TA0005):

  • T1036.005: Masquerading: The adversary renames the VS Code executable to blend in with legitimate system files.
  • T1078: Legitimate Accounts: The attacker uses standard user accounts to run tools, as they do not always require administrative privileges.

Command and Control (TA0011):

  • T1102: Web Service: The attacker uses legitimate web services like Google Sheets and Google Calendar to store C2 commands, making the traffic appear benign.
  • T1572: Protocol Tunneling: The VS Code Remote Tunnel uses an authorized, outbound HTTPS connection to establish a persistent C2 channel that is difficult to distinguish from normal web browsing.

Source and Credits

This analysis is based on the threat intelligence report published by Proofpoint: "Going Underground: China-aligned TA415 conducts US-China economic relations-focused cyber espionage."

The information was last referenced on September 22, 2025.



Back to the Blog