Full Report
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next
Analysis Summary
# Incident Report: Operation Poisson - Persistence via Tailscale and OpenSSH
## Executive Summary
A French-speaking threat actor, identified as "Poisson," compromised a small French automotive business to steal banking and email credentials using a custom malware chain and keyloggers. The most significant aspect of the attack was the actor’s use of Tailscale and OpenSSH to maintain a "backdoor" into the network that bypassed traditional Command-and-Control (C2) infrastructure. This allowed the attacker to maintain persistence for 18 days while their primary C2 server was offline, highlighting a shift toward using legitimate mesh networking tools for stealthy persistence.
## Incident Details
- **Discovery Date:** Analysis published June 17, 2026 (Cato Networks monitored the 33-day operation)
- **Incident Date:** April 2026 – May 2026
- **Affected Organization:** Unnamed small French automotive business
- **Sector:** Automotive
- **Geography:** France (Attacker infrastructure in Berlin, Germany)
## Timeline of Events
### Initial Access
- **Date/Time:** Early April 2026
- **Vector:** VBScript stager (likely delivered via phishing or web download)
- **Details:** The stager used a sandbox-evasion delay to trigger a PowerShell loader, eventually executing Havoc's "Demon" agent in memory.
### Lateral Movement
- **Techniques:** The attacker compromised four separate machines within the environment. Movement was facilitated by the Havoc framework and later via Tailscale/SSH.
### Data Exfiltration/Impact
- **Details:** Stole banking and email credentials via a local Python-based keylogger. Probed smart-card and certificate stores for advanced authentication bypass.
### Detection & Response
- **Discovery:** Cato Networks (Cato CTRL) captured 339 commands executed by the operator over 33 days after discovering the attacker's SSH keys and playbook in an open storage bucket.
- **Response Actions:** The incident was monitored by researchers to analyze the attacker's methodology. The attacker went quiet on May 1, 2025, after deleting 17 files.
## Attack Methodology
- **Initial Access:** VBScript stager -> PowerShell loader -> .NET loader.
- **Persistence:** Tailscale mesh VPN, OpenSSH server, and scheduled tasks running at logon.
- **Privilege Escalation:** Exploited human error using `Start-Process -Verb RunAs` (triggering repeated UAC prompts until the user clicked "Yes").
- **Defense Evasion:** Use of memory-resident implants (Demon agent), sandbox-evasion delays, and legitimate tools (Tailscale).
- **Credential Access:** Python-based keylogger (70 lines of code) and probing of certificate stores.
- **Discovery:** Probing smart-card stores and file system reconnaissance.
- **Lateral Movement:** Custom-built RustDesk and SSH reverse tunnels.
- **Collection:** Keylogger saved keystrokes to a local file for manual retrieval.
- **Exfiltration:** Manual download of log files from the endpoint.
- **Impact:** Financial theft attempt (banking credentials) and potential identity theft.
## Impact Assessment
- **Financial:** Risk of unauthorized banking transactions; cost of remediation and forensics.
- **Data Breach:** Compromise of internal emails and employee credentials.
- **Operational:** Low; the attacker focused on stealthy collection rather than disruptive ransomware.
- **Reputational:** Potential loss of trust with automotive partners or clients.
## Indicators of Compromise
- **Network indicators:**
- `tailscale[.]com` traffic to unauthorized accounts.
- C2 IPs associated with IONOS VPS (Berlin).
- `duckdns[.]org` subdomains.
- **File indicators:**
- `Thales.zip`
- Python-based keylogger scripts.
- Havoc Demon agent (in-memory).
- **Behavioral indicators:**
- Repeated UAC prompts from `Start-Process`.
- Usage of `powercfg` to disable system sleep.
- Installation of VPN software (Tailscale) on unauthorized endpoints.
## Response Actions
- **Containment:** Disconnecting compromised hosts from the Tailscale mesh and the local network.
- **Eradication:** Removal of OpenSSH services, scheduled tasks, and the Havoc Demon memory resident agent.
- **Recovery:** Password resets for all compromised banking and email accounts.
## Lessons Learned
- **C2 Teardown is Not Enough:** Taking down an attacker's primary C2 server (e.g., Havoc) does not guarantee the threat is neutralized if they have moved to "living-off-the-network" tools like Tailscale.
- **Human Element in UAC:** Even non-silent privilege escalation can succeed if an attacker is persistent enough to fatigue the user into clicking "Yes."
- **Junior Actors are Dangerous:** Despite thin tradecraft and sloppy security (leaving keys in open buckets), the attacker successfully compromised four machines and maintained access for over a month.
## Recommendations
- **Strict Software Whitelisting:** Prevent the installation of unauthorized remote access tools like Tailscale, RustDesk, or OpenSSH.
- **Monitor Mesh Networking:** Alert on any traffic to known mesh VPN providers (Tailscale, ZeroTier) from corporate endpoints.
- **User Education:** Train staff to never approve UAC prompts (RunAs) that they did not personally initiate.
- **Egress Filtering:** Restrict outbound connections to only known, required services to disrupt non-standard C2 channels.