T1572: Protocol Tunneling

T1572 falls under the Command and Control tactic (TA0011). The technique covers any scenario in which an adversary explicitly encapsulates one protocol within another to avoid detection, bypass network filtering, or reach systems that would otherwise be unreachable. This ranges from SSH port forwarding and DNS tunneling to ICMP encapsulation, HTTPS-wrapped C2, and the abuse of legitimate cloud tunneling services. The unifying characteristic is intentional encapsulation — the adversary is not simply choosing a protocol for convenience, but deliberately wrapping their traffic inside another protocol to exploit the trust that networks place in that outer protocol.

The technique spans all platforms — Windows, Linux, macOS, and Network Devices. T1572 has no sub-techniques because the tunneling methods are highly diverse in protocol choice and implementation, but share the same strategic purpose: making malicious traffic invisible to network-level defenses by hiding it inside allowed traffic.

How Adversaries Tunnel Traffic

SSH Tunneling (Port Forwarding)

SSH tunneling is one of the oldest and most reliable protocol tunneling methods. An adversary with SSH access to a compromised host can forward arbitrary traffic through the encrypted SSH connection, effectively creating a VPN-like channel that is invisible to network inspection (since the traffic appears as standard SSH on port 22). There are three primary SSH tunneling modes: local port forwarding (ssh -L), which maps a local port to a remote service through the SSH tunnel; remote port forwarding (ssh -R), which exposes an internal service through the SSH server; and dynamic port forwarding (ssh -D), which creates a SOCKS proxy through the tunnel.

Adversaries use SSH tunneling extensively for lateral movement and persistence. Volt Typhoon, the Chinese state-sponsored group targeting U.S. critical infrastructure, used OpenSSH on compromised systems to create tunnels for moving between segmented network zones. The Stately Taurus campaign documented by Unit 42 used sshd.exe for lateral file transfers alongside VSCode tunneling. Tools like Plink (PuTTY Link), a command-line SSH client for Windows, are frequently observed in post-exploitation activity because they allow SSH tunneling on systems where OpenSSH may not be installed. The Abyss Locker ransomware group has been documented using SSH tunneling as a core operational technique.

DNS Tunneling

DNS tunneling exploits the near-universal permissiveness of outbound DNS traffic. Because DNS is essential for internet connectivity, firewalls and network devices almost always allow DNS queries to pass through, even in highly restricted environments. Adversaries abuse this by encoding data into DNS queries — typically as long subdomain strings (e.g., encoded-data-here.attacker-domain.com) — and decoding the responses from an attacker-controlled authoritative DNS server. The encoding methods include Base32, Base64, and binary 8-bit encoding, with data embedded in various record types including A, AAAA, TXT, CNAME, and MX records.

DNS tunneling tools have matured into capable C2 platforms. dnscat2 provides an encrypted command-and-control channel over DNS with session management, command execution, and file transfer capabilities. It supports multiple record types and can operate either by traversing the full DNS hierarchy (harder to block) or connecting directly to the server via raw UDP. Iodine creates a full IPv4 tunnel through DNS, establishing a virtual network interface between client and server — effectively a VPN over DNS. Sliver, the cross-platform C2 framework increasingly used by both red teams and threat actors, includes native DNS tunneling capabilities. Cobalt Strike also supports DNS-based C2 beacons, which have been among the most commonly detected DNS tunneling families in the wild. DNS over HTTPS (DoH) adds an additional complication, as queries encapsulated within encrypted HTTPS packets cannot be inspected by traditional DNS monitoring. The Godlua malware was among the first documented cases of using DoH for C2 communication.

Cloud Tunneling Services (ngrok, Cloudflared, frp)

ngrok is a cross-platform tunneling application that exposes local server ports to the internet through the ngrok relay network. A single command — ngrok tcp 3389 — creates a publicly accessible endpoint that tunnels directly to a local RDP service, bypassing NAT, firewalls, and all perimeter controls. The traffic is encrypted and routed through ngrok's infrastructure using random subdomains (e.g., 0.tcp.ngrok.io:12345), making it difficult to distinguish from legitimate developer use. Multiple threat actors have adopted ngrok, with the MAZE ransomware group documented using it to tunnel RDP connections as early as 2020. More recently, the CISA advisory on Akira ransomware (updated November 2025) documented Akira operators using ngrok to establish encrypted C2 sessions that bypass perimeter monitoring. Cadet Blizzard (a Russian threat actor), Scattered Spider, APT34 (Earth Simnavaz), and LazyScripter have all been documented using ngrok in their operations.

Cloudflare Tunnel (Cloudflared) has emerged as an alternative to ngrok that offers even more capabilities at no cost. An adversary creates a tunnel through the Cloudflare dashboard, then executes a single command on the victim machine: cloudflared tunnel run --token <token>. This establishes an outbound HTTPS (HTTP/2 or QUIC) connection to Cloudflare's edge servers. The adversary can then configure the tunnel to expose internal services — RDP, SMB, SSH, HTTP — through the Cloudflare console. Cloudflared stores no logs on the tunnel server by default, and the tunnel can be enabled or disabled remotely without touching the victim machine. Proofpoint documented increased abuse of TryCloudflare (Cloudflare's free, no-account-required tunnel feature) starting in February 2024, with threat actors using it to deliver remote access trojans including XWorm. The Akira ransomware group uses Cloudflare Tunnel alongside AnyDesk, MobaXterm, and RustDesk for C2.

frp (Fast Reverse Proxy) is an open-source reverse proxy tool popular with Chinese-speaking threat actors. It supports TCP, UDP, HTTP, and HTTPS tunneling with encryption and compression. Several Chinese APT groups, including those targeting Southeast Asian government entities, have deployed frp for establishing persistent tunneled access to compromised networks.

Visual Studio Code and Development Tunnels

The weaponization of VSCode's Remote Tunnel feature represents one of the most significant T1572 developments in 2024. VSCode tunnels are part of Microsoft's Remote Development feature, which allows developers to access and work on remote systems through Visual Studio Code. The tunnels are established via Microsoft Azure infrastructure, with executables signed by Microsoft — meaning the tunnel binary passes application whitelisting, the traffic is encrypted HTTPS to Microsoft-owned domains, and the authentication is through legitimate GitHub or Microsoft Entra ID accounts.

An adversary who has gained code execution on a target system runs code.exe tunnel (using either the portable version or an existing installation). This generates a device authentication code. After the adversary authenticates with their GitHub account, they gain a full Visual Studio Code web environment connected to the compromised machine — effectively a Microsoft-signed reverse shell with file access, command execution, and script deployment capabilities. The Stately Taurus (Mustang Panda) campaign documented by Unit 42 in September 2024 was the first known APT use of this technique, targeting government entities in Southeast Asia. The attackers maintained persistence through a scheduled task that executed a batch script called startcode.bat, ensuring the tunnel reconnected automatically. SentinelLabs subsequently documented Operation Digital Eye (June–July 2024), in which a suspected Chinese APT targeted European IT service providers using the same VSCode tunnel technique, with operator activity timestamps consistent with China Standard Time (UTC+8) work hours.

ICMP Tunneling

ICMP tunneling encapsulates data within ICMP echo request and reply packets (the packets used by the ping command). Because ICMP is a network management protocol that many firewalls allow by default, it provides another channel for covert communication. The available bandwidth is low compared to TCP or UDP tunnels, but ICMP tunneling can operate in environments where essentially all other outbound traffic is blocked. Tools like Heyoka use ICMP spoofing to attempt evasion of firewall-level detection, though this generates significantly more traffic that is detectable at the endpoint level. ICMP tunneling has been observed in combination with other tunneling methods, providing a fallback channel when primary C2 channels are blocked.

Why Protocol Tunneling Matters

Firewall and IDS Bypass

The fundamental purpose of protocol tunneling is to defeat network-level defenses. When C2 traffic is encapsulated within DNS, it passes through firewalls that allow DNS. When it is routed through Microsoft Azure (VSCode tunnels) or Cloudflare (Cloudflared), it appears as legitimate encrypted traffic to trusted cloud providers. When SSH tunneling routes RDP traffic through port 22, network monitoring that blocks direct RDP connections is rendered ineffective. The result is that organizations that have invested heavily in perimeter security can be completely blind to ongoing C2 communications, lateral movement, and data exfiltration happening through their approved protocols.

Legitimate Tool Camouflage

The shift toward tunneling through legitimate developer tools has made detection significantly harder. ngrok is used by developers for testing webhooks and exposing local services. Cloudflared is used for legitimate Cloudflare integration. VSCode tunnels are used for remote development. These tools are signed by their vendors, distributed through official channels, and generate traffic patterns that are functionally identical whether the user is a developer or a threat actor. Traditional detection approaches based on binary reputation, signature matching, or domain blocking cannot distinguish malicious use from legitimate use without additional behavioral context.

Persistence Through Reconnection

Tunneling services provide built-in persistence capabilities. Cloudflared can be installed as a system service that automatically reconnects after reboot. ngrok configuration files can define multiple tunnels that start automatically. VSCode tunnels can be maintained through scheduled tasks. SSH tunnels can be wrapped in autossh or systemd services for automatic reconnection. This means that even if an incident responder identifies and terminates a tunneling process, it may restart automatically — and because the configuration often contains only a token or session identifier (not the full C2 infrastructure details), the responder may struggle to identify the adversary's upstream infrastructure.

Multi-Protocol and Multi-Tactic Utility

Protocol tunneling is not limited to C2 communications. The same tunnel can be used for initial access (exposing an internal service to the internet), lateral movement (accessing services across network segments), persistence (maintaining a reconnecting channel), data exfiltration (uploading stolen data through the tunnel), and defense evasion (routing traffic through trusted protocols to avoid detection). This multi-tactic utility makes T1572 a force multiplier: a single tunnel can serve every phase of the attack lifecycle from initial foothold through mission completion.

Real-World Case Studies

Case 1: Stately Taurus / Operation Digital Eye — VSCode Tunnels for Government Espionage (2024)

In September 2024, Palo Alto Networks Unit 42 published the first documented case of an APT weaponizing Visual Studio Code's tunnel feature. The Chinese threat group Stately Taurus (also tracked as Mustang Panda, Earth Preta, and Camaro Dragon) targeted government entities in Southeast Asia using code.exe tunnel to establish a reverse shell through Microsoft Azure infrastructure. The attackers used the portable version of VSCode, authenticated with their own GitHub accounts, and gained full remote access to compromised systems — file browsing, command execution, and script deployment — through the VSCode web interface. They maintained persistence through a scheduled task executing startcode.bat and used the tunnel for both reconnaissance and data exfiltration (archiving files with RAR and uploading to Dropbox via curl). The same environment showed evidence of a second threat cluster using ShadowPad, suggesting possible collaboration between Chinese APT groups. SentinelLabs subsequently documented Operation Digital Eye (June–July 2024), in which a separate suspected Chinese APT used the identical VSCode tunnel technique against European IT service providers, confirming that the technique was spreading across the Chinese threat ecosystem.

Case 2: Akira Ransomware — ngrok and Cloudflared for Encrypted C2 (2024–2025)

The joint CISA/FBI/Europol advisory on Akira ransomware (AA24-109A, updated November 2025) documented Akira operators using ngrok to initiate encrypted tunnel sessions that bypass perimeter monitoring. Akira threat actors combine ngrok with Cloudflare Tunnel, AnyDesk, MobaXterm, and RustDesk for establishing C2 channels. The ransomware operation has claimed approximately $244 million in proceeds as of late September 2025 and has targeted organizations across communications, energy, transportation, and healthcare sectors. The advisory noted that Akira operators use PowerShell and WMI alongside their tunneling utilities, and leverage FileZilla, WinRAR, WinSCP, and Rclone for data collection and exfiltration through their tunneled channels. The combination of multiple tunneling methods provides redundancy: if one tunnel is detected and blocked, others remain operational.

Case 3: Volt Typhoon — SSH Tunneling Across Critical Infrastructure (2023–2025)

Volt Typhoon, the Chinese state-sponsored group that has pre-positioned itself within U.S. critical infrastructure for potential disruption, uses SSH tunneling as a core operational technique. The February 2024 CISA advisory (AA24-038A) documented Volt Typhoon maintaining access to victim IT environments for at least five years, using living-off-the-land techniques including SSH for lateral movement and traffic tunneling across network segments. Volt Typhoon used netsh portproxy for local port forwarding in combination with SSH tunnels to reach segmented operational technology (OT) networks that are not directly connected to the internet. The group's operational security is notable: all tools used are legitimate system utilities, the tunneling creates no new binaries on disk, and the traffic patterns are designed to blend with normal administrative SSH usage. The August 2025 joint advisory on Salt Typhoon (AA25-239A) documented a related PRC campaign using GRE/IPsec tunnels to conceal C2 and exfiltration from compromised telecommunications routers, confirming that protocol tunneling is a standard operating procedure across Chinese state-sponsored groups.

Case 4: Cloudflare Tunnel Abuse — RAT Delivery at Scale (2024)

Proofpoint documented an increasing trend of threat actors abusing Cloudflare's TryCloudflare feature for malware delivery, beginning in February 2024 with activity intensifying through the summer. The attackers used TryCloudflare's one-time tunnel creation (which requires no account) to generate random subdomains of trycloudflare.com, then used these tunnels to host malicious WebDAV file shares. The attack chain began with a phishing email containing a URL or attachment leading to an internet shortcut (.URL) file. When executed, this established a connection to the Cloudflare-tunneled WebDAV share to download LNK or VBS files, which then executed BAT or CMD files to download Python installers and malicious scripts. The primary payload was XWorm RAT. The technique provided attackers with disposable infrastructure: each tunnel is temporary, costs nothing, requires no identifying information, and can be spun up and torn down in minutes. This has made Cloudflare tunnel abuse a preferred method for large-scale phishing-to-RAT campaigns.

Case 5: DNS Tunneling — The Persistent Covert Channel

DNS tunneling remains one of the most enduring and difficult-to-eradicate forms of protocol tunneling. Cobalt Strike DNS beacons are among the most commonly observed DNS tunneling families in enterprise environments. OilRig (APT34), the Iranian threat group, has used DNS tunneling extensively, including steganographic techniques that embed data within DNS query structures to further obfuscate the communication. The Sandworm group (GRU Unit 74455), responsible for attacks on Ukrainian critical infrastructure including the CRASHOVERRIDE industrial control system attack, has employed DNS tunneling and protocol tunneling through various channels. The open-source tool landscape continues to evolve: Iodine provides full IPv4 tunneling over DNS, dnscat2 provides encrypted C2, Sliver includes native DNS C2 capabilities, and newer tools like DNSStager, dnstt, and Heyoka continue to push the boundary of what can be transmitted through DNS queries. Research from Infoblox in 2025 documented the increasing use of DNS tunneling combined with lookalike domains, making both the tunnel and the domain appear legitimate.

Detection Strategies

Detecting protocol tunneling requires monitoring at multiple layers — network traffic, process execution, and service configuration. The following table identifies the primary data sources and their detection value:

Data Source	Detection Focus	Key Indicators
Network Traffic Content	Payload anomalies	DNS queries with high entropy subdomain strings, unusually large DNS TXT records, ICMP packets with oversized payloads, application protocols that violate expected syntax
Network Traffic Flow	Volumetric anomalies	Asymmetric client/server data ratios, sustained DNS query volumes to single domains, periodic beaconing intervals, large outbound data transfers over normally low-volume protocols
Network Connection Creation	Tunnel establishment	Connections to tunnel service domains (*.ngrok.io, *.trycloudflare.com, *.devtunnels.ms, *.tunnels.api.visualstudio.com), SSH on non-standard ports, outbound connections from unexpected processes
Process Creation (Sysmon EID 1)	Tunnel process execution	ngrok.exe, cloudflared.exe, code.exe with tunnel arguments, plink.exe, ssh.exe with port forwarding flags (-L, -R, -D), frpc.exe, iodine.exe, chisel.exe
Command Execution	Tunnel configuration	ngrok tcp 3389, code.exe tunnel, cloudflared tunnel run --token, ssh -L/-R/-D, netsh interface portproxy add
Windows Service (EID 7045)	Persistent tunnels	New services registered for cloudflared, ngrok, code.exe tunnel, or SSH clients; services with tunnel-related command lines
DNS Query Logs	DNS tunneling indicators	High unique subdomain count per domain, query volume spikes to single domains, unusual record types (TXT, NULL), high Shannon entropy in query names, queries to newly registered domains

Splunk / SIEM Detection Queries

Detect tunnel tool execution on Windows (ngrok, Cloudflared, VSCode tunnel, Plink, Chisel, frp):

index=sysmon EventCode=1
(OriginalFileName IN ("ngrok*", "cloudflared*", "chisel*", "frpc*", "plink*", "iodine*")
 OR (OriginalFileName="code.exe" AND CommandLine="*tunnel*")
 OR (OriginalFileName="devtunnel*")
 OR CommandLine IN ("*ngrok*tcp*", "*ngrok*http*", "*ngrok*authtoken*",
    "*cloudflared*tunnel*run*--token*", "*code*tunnel*",
    "*plink*-L*", "*plink*-R*", "*plink*-D*",
    "*ssh*-L*", "*ssh*-R*", "*ssh*-D*",
    "*chisel*client*"))
| stats count by Computer, User, ParentImage, Image, CommandLine
| sort -count

Detect DNS tunneling indicators via high unique subdomain volume:

index=dns sourcetype=stream:dns OR sourcetype=dns
| rex field=query "^(?<subdomain>[^\.]+)\.(?<root_domain>.+)$"
| stats dc(subdomain) as unique_subdomains count as query_count
  values(query_type) as record_types by root_domain src_ip
| where unique_subdomains > 100 AND query_count > 500
| eval entropy_indicator=if(unique_subdomains/query_count > 0.8, "HIGH", "NORMAL")
| where entropy_indicator="HIGH"
| sort -unique_subdomains

Detect connections to known tunnel service infrastructure:

index=proxy OR index=firewall OR index=dns
(dest_domain="*.ngrok.io" OR dest_domain="*.ngrok-free.app"
 OR dest_domain="*.trycloudflare.com" OR dest_domain="*.cloudflare-gateway.com"
 OR dest_domain="*.devtunnels.ms"
 OR dest_domain="*.tunnels.api.visualstudio.com"
 OR dest_domain="s3.amazonaws.com/dns.ngrok.com*"
 OR dest_domain="update.code.visualstudio.com"
 OR query="*.ngrok.io" OR query="*.trycloudflare.com"
 OR query="*.devtunnels.ms")
| stats count earliest(_time) as first_seen latest(_time) as last_seen
  values(src_ip) as sources by dest_domain
| convert ctime(first_seen) ctime(last_seen)
| sort -count

Detect SSH tunneling via port forwarding arguments on Linux/macOS:

index=linux sourcetype=auditd OR sourcetype=syslog
(process_name="ssh" OR process_name="sshd" OR process_name="autossh")
AND (cmdline="*-L *" OR cmdline="*-R *" OR cmdline="*-D *"
     OR cmdline="*-N *" OR cmdline="*-f *"
     OR cmdline="*LocalForward*" OR cmdline="*RemoteForward*"
     OR cmdline="*DynamicForward*")
| stats count by host user process_name cmdline dest_ip dest_port
| where count > 3
| sort -count

Threat Actors and Tools

State-Sponsored Groups

Actor	Tunneling Methods	Notable Context
Volt Typhoon (PRC)	SSH tunneling, netsh portproxy	Five-year access to U.S. critical infrastructure; LOTL approach
Salt Typhoon (PRC)	GRE/IPsec tunnels	Telecommunications espionage; tunnels on compromised backbone routers
Stately Taurus / Mustang Panda (PRC)	VSCode tunnels, SSH, frp	First documented APT use of VSCode tunnel (Sept 2024)
Operation Digital Eye (PRC)	VSCode tunnels	Targeted European IT service providers (June–July 2024)
APT34 / OilRig (Iran)	DNS tunneling, ngrok	Steganographic DNS C2; ngrok for Middle East operations
Pioneer Kitten / Fox Kitten (Iran)	ngrok, SSH tunneling	Sold compromised network credentials; ngrok for BIG-IP access
Sandworm (Russia / GRU)	Protocol tunneling, DNS tunneling	CRASHOVERRIDE ICS attack; Ukrainian infrastructure targeting
Cadet Blizzard (Russia)	ngrok	Destructive operations against Ukrainian targets
APT40 / Leviathan (PRC)	SSH tunneling, web shells	Maritime and defense sector espionage

Ransomware and Cybercrime

Group / Malware	Tunneling Methods	Notable Context
Akira	ngrok, Cloudflare Tunnel	$244M+ proceeds; CISA advisory updated Nov 2025
MAZE	ngrok (RDP tunneling)	Early documented ransomware use of ngrok (2020)
Black Basta	ngrok, Cobalt Strike DNS	QakBot/Brute Ratel/Cobalt Strike delivery chain
Abyss Locker	SSH tunneling	SSH as primary C2 mechanism (Sygnia, Feb 2025)
Scattered Spider	ngrok, Cloudflare Tunnel	Social engineering plus tunneling for persistence (CISA AA23-320A)
FIN7	SSH tunneling, ngrok	U.S. automotive industry targeting (2024)

Tunneling Tools and Frameworks

Tool	Protocol	Key Capability
ngrok	TCP/HTTP/HTTPS	Instant public endpoint for local services; random subdomains
Cloudflared	HTTPS (HTTP/2, QUIC)	Token-based tunnel; Cloudflare Access controls; no on-disk logs
VSCode Tunnel	HTTPS (Azure)	Microsoft-signed binary; GitHub auth; full IDE capabilities
dnscat2	DNS (A, TXT, CNAME, MX)	Encrypted C2 over DNS; session management; Metasploit integration
Iodine	DNS (TUN/TAP)	Full IPv4 tunnel over DNS; virtual network interface
Sliver	DNS, mTLS, HTTP/S, WireGuard	Cross-platform C2 framework with native DNS tunneling
Cobalt Strike	DNS, HTTP/S, SMB	Malleable DNS beacon profiles; widely used by threat actors
Plink (PuTTY)	SSH	Windows SSH client; common in post-exploitation for tunneling
frp (Fast Reverse Proxy)	TCP/UDP/HTTP/HTTPS	Open-source; popular with PRC-linked threat actors
Chisel	HTTP/HTTPS (WebSocket)	HTTP tunnel over WebSocket; single binary client/server
Neo-reGeorg	HTTP/HTTPS (web shell)	Web shell-based tunnel; successor to reGeorg

Defensive Recommendations

• Monitor and restrict tunnel service domains. Block or alert on connections to tunnel service infrastructure including *.ngrok.io, *.ngrok-free.app, *.trycloudflare.com, *.devtunnels.ms, and *.tunnels.api.visualstudio.com. Where legitimate use exists, implement allowlisting by user or system rather than permitting organization-wide access. Note that these domains are legitimate — the goal is to restrict unauthorized use, not block the services entirely for users with valid requirements.
• Deploy DNS monitoring and analytics. DNS tunneling leaves statistical fingerprints that differ from legitimate DNS traffic. Monitor for high unique subdomain counts per domain, unusual Shannon entropy in query names, abnormal query volumes to single domains, and queries using uncommon record types (TXT, NULL, CNAME in rapid succession). Deploy a DNS security solution capable of detecting known tunneling tool signatures (Iodine, dnscat2, DNS2TCP, Sliver) and behavioral anomalies that indicate novel tools.
• Implement process monitoring for tunnel binaries. Use Sysmon (Event ID 1) or equivalent endpoint detection to alert on execution of ngrok.exe, cloudflared.exe, code.exe with tunnel arguments, plink.exe with forwarding flags, chisel, frpc, and iodine. Create detection rules for new service installations (Event ID 7045) that reference tunnel tool binaries. For VSCode tunnels specifically, restrict access through Group Policy (Administrator Template Files for Dev Tunnels) to authorized users only.
• Enforce network segmentation with encrypted traffic inspection. Protocol tunneling is most dangerous when it bridges segmented network zones. Deploy TLS/SSL inspection at segment boundaries for outbound traffic, implement break-and-inspect for SSH where operationally feasible, and ensure that critical network segments (OT, finance, executive) have outbound traffic monitoring that can detect tunnel establishment regardless of the protocol used.
• Monitor SSH usage patterns. Establish baselines for legitimate SSH usage including normal source/destination pairs, connection durations, and data transfer volumes. Alert on SSH connections with port forwarding flags (-L, -R, -D), SSH connections from unexpected processes or users, SSH sessions with abnormally long durations or high data volumes, and autossh or ssh-agent processes on systems where they are not expected.
• Detect asymmetric traffic patterns. Protocol tunneling for data exfiltration or interactive C2 creates traffic patterns where a client sends significantly more data than it receives (or vice versa) compared to the expected behavior for that protocol. DNS queries should have small requests and small responses — DNS tunneling creates large queries and/or responses. ICMP echo should have small, regular payloads — ICMP tunneling creates oversized or irregular payloads.
• Implement application-level egress controls. Beyond port-based firewalling, deploy application-aware firewalls or proxies that can identify the application protocol within traffic and block protocol violations. This helps detect scenarios where, for example, non-DNS traffic is encapsulated within DNS queries, or non-HTTP content is tunneled through an HTTP connection.
• Retire end-of-life network devices and restrict SOHO router exposure. Volt Typhoon's KV-Botnet specifically targeted end-of-life SOHO routers as tunnel relay infrastructure. Ensure that edge devices are running supported firmware, disable unnecessary remote management interfaces, and segment IoT/SOHO devices from the corporate network to prevent them from being used as tunnel endpoints.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1572
Technique Name	Protocol Tunneling
Tactic	Command and Control (TA0011)
Platforms	Windows, Linux, macOS, Network
Sub-techniques	None
Data Sources	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Related Techniques	T1090 (Proxy), T1071 (Application Layer Protocol), T1573 (Encrypted Channel), T1048 (Exfiltration Over Alternative Protocol), T1132 (Data Encoding), T1001 (Data Obfuscation)
MITRE ATT&CK Reference	attack.mitre.org/techniques/T1572

Sources and References

• MITRE ATT&CK — T1572 Protocol Tunneling: attack.mitre.org
• Palo Alto Unit 42 — Chinese APT Abuses VSCode to Target Government in Asia (September 2024): unit42.paloaltonetworks.com
• SentinelLabs / Tinexta Cyber — Operation Digital Eye: Chinese APT Compromises Critical Digital Infrastructure via Visual Studio Code Tunnels (December 2024): sentinelone.com
• CISA — #StopRansomware: Akira Ransomware (AA24-109A, updated November 2025): cisa.gov
• CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure (AA24-038A, February 2024): cisa.gov
• CISA — People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (AA23-144A, May 2023): cisa.gov
• GuidePoint Security — Tunnel Vision: Cloudflared Abused in the Wild (June 2025): guidepointsecurity.com
• Proofpoint — Cloudflare Tunnel Abuse for RAT Delivery (August 2024): rhisac.org
• Infoblox — DNS: A Small but Effective C2 System (July 2025): infoblox.com
• Netskope — DNS Tunneling: The Blind Spot in Your Network Security Strategy (November 2025): netskope.com