Junior Hacker Used Tailscale to Survive Havoc C2 Takedown

A French-speaking threat actor tracked as "Poisson" compromised a small French automotive business and demonstrated a persistence technique that survived the loss of his command-and-control infrastructure. According to research published Tuesday by Cato CTRL's Vitaly Simonovich, the junior operator deployed the Havoc Demon agent for initial access, then installed OpenSSH Server and Tailscale on a victim machine to build a backup access channel that bypassed his C2 entirely. Researchers reconstructed the full operation — 339 commands over 33 days — after the actor left SSH keys and a step-by-step playbook in an open Backblaze B2 storage bucket.

Poisson's malware chain ran almost entirely in memory, starting with a VBScript stager that used sandbox-evasion delays before decrypting a PowerShell loader. That loader pulled a .NET payload that executed Havoc's Demon agent without writing the implant to disk. For privilege escalation, the actor relied on Start-Process -Verb RunAs, which triggers the standard Windows UAC consent prompt — a noisy method that required roughly a dozen attempts over two days on one victim. A 70-line Python keylogger captured keystrokes to a local file, with no exfiltration server; the actor simply logged in via SSH to retrieve harvested data. Banking and email credentials were among the stolen records, which users can validate against known exposures with an email breach checker.

The critical persistence move came on April 7 during a five-hour overnight session. Poisson installed OpenSSH Server, joined the compromised machine to his private Tailscale network, and configured key-based authentication with a reverse SSH tunnel. The setup gave him access over Tailscale's encrypted WireGuard-based mesh with no C2 and no exposed ports on the victim — a configuration defenders can audit from the outside using a port scanner to confirm only intended services are reachable. The next day, the Havoc C2 went offline for reasons Cato did not disclose, but the Tailscale path sat on a separate network layer and remained operational. When the infrastructure returned 18 days later on April 26, the agents reconnected automatically and the operator resumed activity without missing a beat.

Cato's researchers describe Poisson as a junior actor running on free-tier infrastructure, including DuckDNS, Backblaze B2, and a cheap IONOS VPS in Berlin. His schedule reflected a school day — activity after 3 p.m. CET with a long midday gap — and his tradecraft was sloppy, including leaking his home directory five times and naming storage buckets after his own handle. Despite failing roughly half of his attempts, he compromised four machines and demonstrated that defenders cannot treat a C2 takedown as remediation once the attacker has built a separate door. Operators and security teams reusing passwords across services should run them through a password checker and rotate any credentials tied to systems targeted by similar intrusions.