The KidsProtect stalkerware analysis published this week has a detail worth dwelling on: the tool routes its command-and-control traffic through Microsoft VS Code Remote Tunnels and Discord webhooks. Not because the developer was particularly sophisticated — stalkerware authors are not typically at the forefront of threat actor tradecraft. But because abusing legitimate cloud services for C2 has become so accessible and effective that even commercial stalkerware distributors are doing it.
This is worth treating as a signal.
The Infrastructure Shift
Attackers historically ran their own command-and-control servers. This approach has well-understood weaknesses: the server can be identified, blocked, taken down, and used as evidence. Detection engineers can write rules for traffic to suspicious IP ranges and newly registered domains. Threat intelligence feeds can distribute IOCs. Law enforcement can seize the infrastructure.
The industry built network security monitoring around this model. Block known-bad domains. Alert on anomalous DNS patterns. Monitor for beaconing to suspicious IP ranges. Inspect TLS for certificate mismatches.
The alternative — use infrastructure the defender cannot block — has been available for years. GitHub commit comments as a C2 channel. Slack API calls for data exfiltration. Google Sheets as a beacon receiver. Pastebin for payload hosting. Each of these has been documented in threat actor campaigns. Each of them works because blocking the service creates operational disruption that most organisations cannot accept.
VS Code Remote Tunnels is the same principle applied to a developer-specific service. Traffic flows to *.tunnels.api.visualstudio.com on port 443, authenticated and encrypted. Blocking it disables a widely used remote development workflow. The service is operated by Microsoft, which means the certificate is trusted, the connection looks legitimate at every layer, and there is no anomalous indicator short of behavioural analysis of the endpoint initiating the tunnel.
Discord webhooks are similar: widely used for legitimate notifications, team collaboration, and bot integrations. A process sending data to a Discord webhook URL is indistinguishable at the network layer from a developer’s CI/CD pipeline posting build status to a team channel.
What This Breaks
The security architecture assumption this dismantles is that network-layer controls can separate legitimate from malicious outbound traffic. That assumption was already stretched before this shift. The VS Code tunnel and Discord webhook examples break it cleanly.
Consider what is required to detect KidsProtect’s C2 on a network that permits VS Code and Discord: you need process-level visibility into which application initiated the connection, behavioural analysis of the connection pattern (frequency, data volume, timing), and endpoint telemetry to correlate network activity with the process that generated it. None of this is network-layer monitoring. All of it requires endpoint detection capability deployed on the device, correctly configured, and actively monitored.
For enterprise IT endpoints — corporate laptops with EDR deployed — this capability exists, imperfectly, in mature security programmes. For BYOD devices, personal phones enrolled in MDM, OT workstations, and IoT infrastructure, it largely does not.
The Wider Campaign Pattern
KidsProtect is not the only example from this week. QLNX, the Linux RAT disclosed on 8 May 2026, harvests developer credentials — npm tokens, PyPI credentials, cloud provider keys — from developer workstations and exfiltrates them using legitimate package registry APIs. The PyTorch Lightning supply chain compromise in May 2026 used the package registry’s own infrastructure as the exfiltration channel. The trend is systematic.
The threat actors involved are not all nation-state actors with significant technical resources. Some of the most effective legitimate-service abuse comes from commodity RaaS groups and low-sophistication actors who have simply adopted a technique that works. The combination of effective templates, legitimate infrastructure, and encrypted channels has substantially reduced the technical barrier to evasion.
The Detection Surface That Remains
If network-layer controls are insufficient, what works?
Endpoint detection with process-level network attribution — knowing which process made which connection — is the most reliable remaining control. EDR platforms that provide this visibility can identify VS Code tunnel connections initiated by processes that are not VS Code, or Discord webhook calls from processes that have no legitimate business need to reach Discord’s API.
Behavioural anomaly detection on endpoint telemetry — identifying devices that initiate VS Code tunnel sessions at unusual hours, to unusual tunnel IDs, or with data volumes inconsistent with developer use — requires investment in telemetry analysis that goes beyond signature matching.
Zero-trust application access models that use verified application identity for cloud service access can reduce the attack surface: if VS Code tunnel access requires a managed device certificate, the unmanaged device running stalkerware cannot establish the tunnel regardless of whether the traffic is technically permitted.
None of these controls is simple to deploy at scale. But the alternative — continuing to rely on network-layer inspection that the threat has comprehensively bypassed — is maintaining a security posture calibrated for a threat model that no longer reflects how attacks operate.
Share this article