SOC Incident Toolkit
Back to Campaigns
Tropic Trooper AdaptixC2 and VS Code Tunnel Campaign

Tropic Trooper AdaptixC2 and VS Code Tunnel Campaign

Tropic TrooperAPT23Earth CentaurAdaptixC2TOSHIS loaderVS Code tunnelsGitHub C2SumatraPDF trojanChinese targetingTaiwan espionagedefense contractor infiltration

A sophisticated cyber espionage campaign orchestrated by the Tropic Trooper APT group (APT23/Earth Centaur) targeting Chinese-speaking populations in Taiwan, South Korea, and Japan. The campaign utilizes trojanized SumatraPDF documents, TOSHIS loaders, AdaptixC2 beacons, and innovative persistence mechanisms, including Visual Studio Code tunnels, to maintain long-term access to government, military, and defense contractor networks.

Indicators of Compromise

Domains (1)

stg.lsmartv.com

Hashes (24)

2c65433696037f4ce0f8c9a1d78bdd6835c1b94d3c29c72a59133dd9eb23953211129fd8275a11b91a3b8dddb3c6e502b6b63edbbd618c9e1e10891fe666839650fa406833d70afdc2051635ccfdc0b48c260e7ceeee3f96bf026fea47c7ce0e3816647b23bb180725c7233e505f61c35e7776d47fd448009e88785719e3c4df728e3e657cb9496cd4aaf69648470b6367fcf5c21474d314aa0b27b0ce8befb23238d2f6b9ea9825eb61ae5e80e7365c89daa54fada8798c5f4e21738c8ea0b43936f522f187f8f67dda3dc88abfd170f6ba873af81fc31bbf1fdbcad1b2a7fbadb47733c224fc8c0f7edc61becb578e560435abb92a3a1cf5786b6e08643483387b77640cd44f84df1169dd00efde7af46b5714aeec65bac035789073b567753284b64ce0b95bbae62cf79e1479714238af0eb7401cc16d79d94c32da3f66df21d66ffd71603c146eaea92394e115cd6d5bab9ae1c6d088806229aae320e6c519c2d2210dbc94fe6c68dc2e33780e07596c3c06aa819ea460b3d12571fa755b6ba012e1713c9101c7329f8da4f2131eb497afe5f78d8d6e534df2b8d75c5b9b565c3ec17a323afe5355da26e2dc48ef24da000b8fc1354fa31ca9ae343be0f2077901ea5b5b9fb97d97892ac1a907e6+4 more

IPv4 (2)

47.76.236.58158.247.193.100

APT Groups

Pirate Panda

CN

Notes

<div><span id="docs-internal-guid-ea9b4db4-7fff-c78f-38cb-f2f20b7806fd"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tropic Trooper demonstrates advanced operational capabilities through their strategic deployment of trojanized legitimate software and innovative persistence mechanisms, showcasing the group's evolution toward more sophisticated evasion techniques targeting specific language and cultural demographics. The integration of development tools like VS Code tunnels for persistence represents a significant tactical advancement, exploiting the trust placed in legitimate development platforms to maintain long-term access. The campaign's impact extends across critical government and defense sectors in Taiwan, South Korea, and Japan, with particular emphasis on entities involved in cross-strait relations and regional security matters. The combination of social engineering, process hollowing, and legitimate service abuse creates substantial challenges for traditional security controls focused on signature-based detection. For comprehensive threat hunting, SOCRadar's IOC Radar capabilities should be leveraged to identify GitHub repositories and domain patterns associated with this campaign across enterprise environments. Dark Web Monitoring becomes essential for detecting exposed credentials that could facilitate initial access vectors beyond spearphishing. Continuous Cyber Threat Intelligence updates on Tropic Trooper TTPs will enhance detection accuracy for similar state-sponsored campaigns. Brand Protection services should monitor for domain registrations mimicking legitimate software distributors, while Attack Surface Management provides visibility into exposed development tools and remote access solutions that could be exploited for persistence.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span></div>

Mitigation

<span id="docs-internal-guid-946c1666-7fff-16a3-b2fe-6e30007be2b6"><h1 style="text-align: left; line-height: 1.2; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 16pt; font-family: Arial, sans-serif; color: rgb(46, 116, 181); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITRE ATT&amp;CK Mitigation Table</span></h1><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><tbody><tr style="height:0pt;"><td style="border-left:solid #000000 0.5pt;border-right:solid #000000 0.5pt;border-bottom:solid #000000 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;background-color:#4f81bd;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></td><td style="border-left:solid #000000 0.5pt;border-right:solid #000000 0.5pt;border-bottom:solid #000000 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;background-color:#4f81bd;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></td><td style="border-left:solid #000000 0.5pt;border-right:solid #000000 0.5pt;border-bottom:solid #000000 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;background-color:#4f81bd;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="border-left:solid #000000 0.5pt;border-right:solid #000000 0.5pt;border-bottom:solid #000000 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;background-color:#4f81bd;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></td><td style="border-left:solid #000000 0.5pt;border-right:solid #000000 0.5pt;border-bottom:solid #000000 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;background-color:#4f81bd;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Spearphishing Attachment</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1049</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #000000 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus/Antimalware — Deploy advanced email security solutions with behavioral analysis to detect trojanized PDF files and embedded malicious payloads before delivery to end users.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1566/001/">T1566.001</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Spearphishing Attachment</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1017</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training — Conduct specialized awareness training on APT tactics, focusing on trojanized legitimate software and PDF-based attacks targeting Chinese-speaking users.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1055/012/">T1055.012</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Process Hollowing</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion / Privilege Escalation</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1040/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1040</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Behavior Prevention on Endpoint — Implement EDR solutions capable of detecting process hollowing techniques and abnormal memory injections into legitimate processes like PDF readers.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1113/">T1113</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Screen Capture</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Collection</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1057/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1057</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Loss Prevention — Deploy DLP solutions to monitor and prevent unauthorized screenshot capture and sensitive document exfiltration from government and defense systems.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1102/001/">T1102.001</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Web Service: Dead Drop Resolver</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1031/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1031</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention — Block access to suspicious GitHub repositories and monitor for C2 communications over legitimate web services like GitHub and Microsoft platforms.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1021/007/">T1021.007</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Services: Cloud Services</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Lateral Movement</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1032/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1032</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;background-color:#f2f2f2;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Multi-factor Authentication — Enforce MFA on all cloud services and implement conditional access policies to prevent unauthorized VS Code tunnel access from compromised accounts.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/techniques/T1090/003/">T1090.003</a></span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Proxy: Multi-hop Proxy</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1037/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 238); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1037</span></a></p></td><td style="border-left:solid #cccccc 0.5pt;border-right:solid #cccccc 0.5pt;border-bottom:solid #cccccc 0.5pt;border-top:solid #cccccc 0.5pt;vertical-align:top;padding:4pt 6pt 4pt 6pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Monitor and restrict outbound connections to development tools and code repositories from non-development networks to detect tunnel abuse.</span></p></td></tr></tbody></table></div></span>