BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Attackers Outlive Takedowns with SSH, Tailscale

Persistent attackers use legitimate tools as backup after C2 takedowns

  • Attackers can maintain access after C2 takedowns by installing separate persistence tools like OpenSSH and VPN software.
  • A junior hacker used free-tier services and a visible playbook but still successfully stole credentials from multiple machines.
  • The key threat involves legitimate, signed tools like Tailscale and RustDesk evading traditional file-based detection.
  • Effective remediation requires hunting for the secondary, quiet persistence layer behind any discovered command-and-control server.

A junior French-speaking hacker, operating after school hours, successfully breached a small French automotive business over 33 days, according to a detailed analysis by Cato Networks. The operator, using the handle “Poisson,” planted a keylogger and stole banking and email credentials using free infrastructure.

- Advertisement -

However, a critical move ensured his access outlived his primary attack server. He installed OpenSSH and Tailscale on a victim’s machine, creating an independent backdoor.

Consequently, when his Havoc command-and-control server went offline the next day, his access persisted for 18 days via the Tailscale network. The agents automatically reconnected when the C2 returned, allowing the operation to continue.

Researchers captured 339 commands after the operator leaked his SSH keys and a playbook. His tradecraft was described as thin, frequently failing and leaking his own data.

Meanwhile, the malware chain relied heavily on in-memory execution. A VBScript stager led to a PowerShell loader, which deployed the Havoc’s Demon agent without touching disk.

- Advertisement -

For persistence, he set a scheduled task and used a custom RustDesk instance. The keylogger was a simple Python script, with keystrokes harvested manually after using powercfg to keep systems awake.

Ultimately, the incident underscores that pulling a C2 offline is insufficient remediation. Cato Networks recommends specific hunts for OpenSSH installs, tailscale.exe, and reverse SSH tunnels on unauthorized workstations.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Musk Admits He Was Wrong About Anthropic, Calls It AI Leader

Elon Musk admitted he was "clearly wrong" about Anthropic, calling the AI company the...

Coinbase CLO Paul Grewal steps down, names successors

Coinbase Chief Legal Officer Paul Grewal will step down on July 31 and move...

npm 12 disables install scripts, phases out 2FA bypass tokens

GitHub released npm version 12 with install scripts disabled by default, making previously automatic...

Ethereum Foundation deploys AI agents to hunt for network bugs

Ethereum Foundation researchers deployed AI agents to red-team critical network infrastructure, uncovering real bugs.The...

Ethereum May Be Forming Short-Term Bottom, Says Ex-BofA Strategist

Ethereum may be forming a short-term bottom, according to a chart shared by Tom...

Must Read

7 Best Crypto To Invest In This Year

Investing in cryptocurrencies has become a popular way for people to diversify their investment portfolio and make potential profits.However, with so many cryptocurrencies available...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading