Source: SentinelLabs On breached devices, the hackers deployed a portable, legitimate version of Visual Studio Code ('code.exe') and used the 'winsw' tool to set it as a persistent Windows service.