A spear-phishing campaign designated Operation Dragon Whistle has been found abusing Visual Studio Code Remote Tunnels — a legitimate Microsoft developer connectivity feature — as a command-and-control channel, routing attacker traffic through Microsoft’s trusted cloud infrastructure to evade enterprise security controls. Joe Security published analysis of the campaign on May 22, 2026, documenting attacks against two geographically and organizationally distinct targets: Changzhou University in China, and Pakistan’s Punjab Safe Cities Authority along with its affiliated PPIC3 — the government authority managing law enforcement-integrated CCTV and surveillance infrastructure across major Pakistani cities.
VS Code Remote Tunnels as a C2 Channel
Visual Studio Code Remote Tunnels allow developers to establish remote connections to machines running VS Code through Microsoft’s cloud relay infrastructure at vscode.dev. The feature is legitimate, widely used, and deeply integrated into enterprise software development workflows. Enterprise security policies almost universally permit traffic to vscode.dev because blocking it would disrupt software development operations.
Operation Dragon Whistle weaponizes this trust relationship. When the initial payload executes on a victim’s machine, it establishes a VS Code Remote Tunnel session, giving the attacker full interactive shell access to the compromised system via Microsoft’s cloud relay. Device authentication codes generated during that session setup are exfiltrated to the attacker via Discord webhooks — another widely permitted traffic channel. The attacker receives the authentication code, authenticates to the VS Code Remote Tunnel session through Microsoft’s infrastructure, and gains interactive access to the victim’s machine. Every packet of that C2 traffic passes through or to Microsoft-owned infrastructure that network security tools are configured to trust.
BunnyCDN Payload Staging and the ClickOnce .NET Chain
Infrastructure supporting the campaign uses BunnyCDN domains for payload staging alongside the Discord webhooks used for authentication code exfiltration. The campaign delivers malicious attachments in two forms targeting different victim profiles: a document named “CAD Report.doc” carries VBA macros that download and execute the VS Code Remote Tunnel payload; a file named “ANPR Report.pdf” displays fake Adobe Reader prompts that redirect victims to ClickOnce deployment files hosting .NET payloads. The ANPR filename — Automatic Number Plate Recognition — is directly relevant to the PSCA surveillance infrastructure target, whose camera systems include vehicle tracking capabilities integrated with law enforcement databases.
PSCA and PPIC3: What Access to Pakistan’s Surveillance Network Implies
The Punjab Safe Cities Authority manages CCTV and surveillance infrastructure across Pakistan’s major cities. Its affiliated PPIC3 — Punjab Police Integrated Command, Control and Communication Center — connects those camera feeds to real-time law enforcement operations. Access to PSCA and PPIC3 systems is not equivalent to compromising a commercial organization: the camera networks operate across Lahore, Rawalpindi, and other major urban centers with feeds connected to active police command infrastructure.
Intelligence collection objectives are the most credible interpretation of targeting that combines a Chinese academic institution with Pakistani law enforcement surveillance systems. The two target profiles share no industry or commercial relationship; what connects them as intelligence targets is the sensitivity of the data each controls — research and personnel data at Changzhou University, and camera network access credentials and police data systems at PSCA and PPIC3.
Attribution and the Dual-Target Intelligence Profile
Joe Security’s analysis does not assign Operation Dragon Whistle to a specific named threat actor. The combination of a Chinese academic target and Pakistani law enforcement infrastructure as simultaneous targets in a single campaign narrows the plausible actor set to entities with intelligence collection interests spanning both environments, but public attribution has not been established.
Why Living-Off-Trusted-Cloud-Services Defeats Traditional Network Controls
Operation Dragon Whistle’s C2 architecture represents a deliberate shift away from dedicated attacker infrastructure toward what can be characterized as living-off-trusted-cloud-services: using Microsoft’s VS Code relay, Discord’s webhook API, and BunnyCDN’s content delivery network as the operational backbone of the campaign. Traditional network security controls — IP reputation blocking, domain blocklists, TLS inspection of known-bad certificates — have no purchase against this model.
Blocking vscode.dev would disable legitimate development tools for every engineer in an organization. Blocking Discord webhooks would disrupt collaboration tools widely used in professional environments. Content delivery network traffic through BunnyCDN is indistinguishable in volume and behavior from the legitimate CDN traffic that every modern web application generates. Detection of this campaign cannot occur at the network perimeter level using conventional controls; it requires endpoint-level behavioral analysis capable of identifying the VS Code Remote Tunnel session establishment as anomalous in context — distinguishing a developer legitimately connecting to a remote machine from an attacker-established tunnel executing in a context where no developer activity should be occurring.
That distinction requires endpoint telemetry, process lineage analysis, and behavioral baselines — capabilities that are not uniformly present across the academic institutions and government authorities that Operation Dragon Whistle has chosen to target.
