A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials.
Ordinary stuff, until one move near the end.
Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim’s machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next day, his access did not. Eighteen days later, the C2 came back, his agents reconnected on their own, and he carried on.
Cato Networks captured the whole operation command by command, 339 of them over 33 days, after the operator left his SSH keys and a step-by-step playbook in an open storage bucket. The write-up, published Tuesday by Cato CTRL researcher Vitaly Simonovich, is a rare view of an intrusion from the operator’s keyboard rather than the forensic leftovers.
Researchers’ lesson is blunt: pulling a C2 server offline is not remediation if the attacker has already built a separate door.
The actor, handle “Poisson,” is not an APT. Researchers describe a junior operator on what looks like a school schedule, active after 3 p.m. CET with a long midday gap, all of it running on free-tier kit: DuckDNS, Backblaze B2, and a cheap IONOS VPS in Berlin. His tradecraft was thin.
He leaked his home directory five times, named his storage buckets after his own handle, and left a test file of his own keystrokes typed over and over inside the keylogger package. He failed at roughly half of what he tried. He compromised four machines anyway.
The chain
The malware ran almost entirely in memory. A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc’s Demon agent without dropping the implant to disk. For elevation, he used Start-Process -Verb RunAs, which is not a silent UAC bypass. It pops the Windows consent prompt and waits for someone to click Yes. On one victim, it took a dozen tries across two days.
After that came the nailing-down: a scheduled task running at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom-built RustDesk as a backup channel. The credential grabber was a 70-line Python keylogger that wrote keystrokes to a local file, with no beacon and no exfil server. Poisson just logged in, grabbed the file by hand, and ran powercfg to keep the machines from sleeping, so harvesting never paused.
The move that matters
On April 7, in a five-hour overnight session, he installed OpenSSH Server and Tailscale, joined the victim’s machine to his private Tailscale network, and set up key-based SSH and a reverse tunnel. Now he could reach the machine over Tailscale’s encrypted mesh with no C2 and no exposed ports.
The next day, the Havoc infrastructure went offline. Cato does not say why, and it barely matters: the Tailscale path sat on a separate network, so the access lived.
When the C2 returned on April 26, the agents reconnected automatically, no re-compromise required. Over the final five days, he ran 145 more commands, probed smart-card and certificate stores (a sign he was eyeing certificate-based logins), ran two unexplained executables from a file named Thales.zip for about 32 minutes total, then deleted 17 files and went quiet on May 1.
What he wanted was narrow. No Mimikatz, no lateral movement, no ransomware, and no sign he took the documents he browsed, from tax records to insurance. Just what people type: banking logins, email passwords, government portals. For a small business owner, that is direct financial exposure.
None of the tools is new, which is the point. China’s APT31 used Tailscale through 2024 and 2025 to tunnel quietly out of Russian IT firms, Scattered Spider has leaned on legitimate remote-access tools like Ngrok and Fleetdeck, and RustDesk, Poisson’s backup channel, turns up in recent Akira ransomware intrusions.
The binaries are signed and legitimate, so detection that stops at bad files, not bad behavior, misses them. What Poisson adds is command-level proof that the trick outlives a takedown, run by someone clearly still learning.
What to watch
Cato’s hunting list is concrete:
- Alert when OpenSSH Server installs on a Windows workstation, which is rarely legitimate.
- Watch for tailscale.exe on machines that have no reason to run a VPN.
- Look for ssh -R reverse tunnels heading to outside hosts.
- Check for wscript.exe running .vbs files out of user staging folders.
- Flag scheduled tasks set to the highest privileges that launch script interpreters.
- Watch for powercfg standby-timeout changes that keep machines awake.
- Block DuckDNS.
The bigger one: when you find a C2, assume it is not the only way in, and go hunting for the quiet persistence layer behind it.
What was in Thales.zip, and what those two programs did in their 32 minutes on the machine, is the question Cato leaves open. The answer that matters more: the C2 was never the intrusion, just one way into it. Kill it and leave OpenSSH, Tailscale, the scheduled task, and the keylogger running, and the attacker still has a way back in.
That is the part remediation keeps missing.
Source link
