The Accidental C2: Exploring Dev Tunnels for Remote Access

This blog post analyzes VS Code Dev Tunnels end-to-end and shows that the service's multi-layered protocol (REST discovery and token issuance, WebSocket relay, SSH-over-WebSocket, and MsgPack RPC) can be leveraged as a command-and-control framework. The author details authentication flows (GitHub and Azure/Entra), exposes RPC commands that allow remote spawn/fs/sys operations, provides a PoC tool (Ouroboros), and highlights attack techniques including device-code phishing, refresh-token pivoting (FOCI/BroCI), theft of stored API tokens, persistence, and lateral movement opportunities.