Listen to this Post
Introduction:
A French-speaking threat actor known as “Poisson” recently demonstrated that taking down a command-and-control (C2) server is no longer sufficient for remediation. Over 33 days, researchers from Cato CTRL captured 339 attacker commands, revealing a multi-stage fileless attack that persisted even after the Havoc C2 infrastructure went offline. The operator installed OpenSSH Server and Tailscale VPN on a victim’s machine, creating an encrypted backdoor that operated independently of the primary C2 channel. This case highlights a critical shift in adversary tradecraft: VPN-mesh-based persistence is already in active use, and defenders must adapt their detection and response strategies accordingly.
Learning Objectives:
- Understand how attackers leverage Tailscale VPN and OpenSSH to maintain persistent access after C2 takedowns
- Learn to detect and dismantle mesh-VPN-based persistence mechanisms on Windows and Linux endpoints
- Master forensic techniques to identify unauthorized SSH keys, reverse tunnels, and scheduled tasks used for backdoor access
- Understanding the Attack Chain: From Fileless Payload to Mesh-VPN Persistence
The Poisson operation employed a multi-stage fileless infection chain. A VBScript stager with sandbox-evasion delay decrypted a PowerShell loader, which pulled down a .NET loader that ran Havoc’s Demon agent entirely in memory without dropping the implant to disk. For privilege escalation, the attacker used Start-Process -Verb RunAs, which triggers the Windows consent prompt and waits for user interaction. On one victim, it took a dozen attempts across two days to succeed.
Once elevated, the attacker established multiple persistence mechanisms: a scheduled task running at every logon with highest privileges, shellcode injected into Explorer.exe, and a custom-built RustDesk instance as a backup remote access channel. The credential harvester was a 70-line Python keylogger that wrote keystrokes to a local file with no beacon or exfiltration server – Poisson simply logged in periodically and grabbed the file by hand.
Step-by-Step Guide – Detecting Fileless Havoc C2 Infections:
Linux (Endpoint Detection):
Check for suspicious PowerShell execution from unusual parents
grep -i "powershell" /var/log/syslog | grep -i "bypass"
Look for VBScript execution patterns
find / -1ame ".vbs" -mtime -30 -exec ls -la {} \;
Detect .NET loader activity (Windows Subsystem for Linux or cross-platform)
find / -1ame ".dll" -mtime -7 -exec file {} \; | grep -i "pe32"
Monitor for unusual scheduled tasks (Linux variant)
crontab -l | grep -i "powershell|vbs|loader"
Windows (PowerShell – Admin):
Check for recent VBScript and PowerShell script creation
Get-ChildItem -Path C:\ -Recurse -Include .vbs, .ps1 -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-30)}
Review scheduled tasks for suspicious entries
Get-ScheduledTask | Where-Object {$<em>.Principal.UserId -eq "SYSTEM" -or $</em>.Principal.RunLevel -eq "Highest"} | Select-Object TaskName, State, Actions
Examine running processes for injected shellcode indicators
Get-Process | Where-Object {$<em>.Modules.Count -gt 100} | Select-Object Name, ID, @{N="Modules";E={$</em>.Modules.Count}}
- The Critical Move: Installing OpenSSH and Tailscale for C2-Independent Access
On April 7, during a five-hour overnight session, Poisson installed OpenSSH Server and Tailscale on the compromised machine. He joined the victim’s machine to his private Tailscale network, configured key-based SSH authentication, and set up a reverse tunnel. This created an encrypted mesh network path that did not rely on the C2 server at all, with no exposed ports on the victim’s firewall. When the Havoc infrastructure went offline the next day, the Tailscale path remained fully functional. When the C2 returned on April 26, the agents reconnected automatically, no re-compromise required.
Step-by-Step Guide – Detecting and Removing Unauthorized Tailscale + OpenSSH Backdoors:
Linux Detection:
Check for Tailscale installation which tailscale tailscale status 2>/dev/null List all Tailscale network interfaces ip link show | grep -i "tailscale" ifconfig | grep -i "tailscale" Examine SSH authorized_keys for unauthorized public keys cat ~/.ssh/authorized_keys cat /root/.ssh/authorized_keys cat /home//.ssh/authorized_keys Check for SSH reverse tunnel configurations grep -r "GatewayPorts" /etc/ssh/sshd_config grep -r "PermitOpen" /etc/ssh/sshd_config ps aux | grep -i "ssh.-R" Identify unexpected OpenSSH Server installations dpkg -l | grep openssh-server Debian/Ubuntu rpm -qa | grep openssh-server RHEL/CentOS systemctl status ssh
Windows Detection (PowerShell – Admin):
Check for Tailscale installation
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "Tailscale"}
Check for OpenSSH Server installation (Windows 10/11)
Get-WindowsCapability -Online | Where-Object {$_.Name -like "OpenSSH.Server"}
Examine SSH authorized_keys on Windows
Get-ChildItem -Path C:\Users\.ssh\authorized_keys -ErrorAction SilentlyContinue | ForEach-Object {Get-Content $_.FullName}
Check for SSH service status
Get-Service sshd, ssh-agent | Select-Object Name, Status, StartType
Look for Tailscale network interfaces
Get-1etAdapter | Where-Object {$_.Name -like "Tailscale"}
Review firewall rules for Tailscale/SSH exceptions
Get-1etFirewallRule | Where-Object {$<em>.DisplayName -like "SSH" -or $</em>.DisplayName -like "Tailscale"}
Remediation Commands:
Linux – Remove unauthorized SSH keys rm -f /root/.ssh/authorized_keys rm -f /home//.ssh/authorized_keys Uninstall Tailscale tailscale logout apt-get remove tailscale -y Debian/Ubuntu yum remove tailscale -y RHEL/CentOS Remove SSH server if not required apt-get remove openssh-server -y systemctl disable sshd
Windows – Uninstall Tailscale
Start-Process "msiexec.exe" -ArgumentList "/x {Tailscale-Product-Code} /quiet" -Wait
Disable OpenSSH Server
Disable-WindowsOptionalFeature -Online -FeatureName OpenSSH.Server
Revoke SSH keys
Remove-Item -Path C:\Users\.ssh\authorized_keys -Force
- Attackers’ Operational Security (OPSEC) Failures and What They Reveal
Despite the technical success of his persistence mechanism, Poisson made numerous OPSEC mistakes that enabled researchers to reconstruct the entire operation. He leaked his home directory five times, named his storage buckets after his own handle, and left a test file of his own keystrokes inside the keylogger package. He used entirely free-tier infrastructure: DuckDNS for dynamic DNS, Backblaze B2 for payload hosting, and a cheap IONOS VPS in Berlin. He also accidentally left his SSH keys and a step-by-step attack playbook in a public storage bucket. These failures underscore a critical takeaway: even low-skill actors can compromise real targets using off-the-shelf tools, and defenders must assume that amateur mistakes will not prevent successful intrusions.
Step-by-Step Guide – Investigating OPSEC Leakage and Exposed Credentials:
Search for Exposed SSH Keys and Credentials in Public Repositories:
Search GitHub for exposed SSH keys (requires GitHub CLI) gh search code "BEGIN OPENSSH PRIVATE KEY" --limit 100 Search for exposed AWS/cloud credentials gh search code "AKIA" --limit 100 Check for exposed storage buckets (AWS S3) aws s3 ls s3:// --recursive | grep -i "key|credential|password"
Linux – Local Forensic Artifacts:
Search for SSH keys in unusual locations find / -1ame "id_rsa" -o -1ame "id_dsa" -o -1ame ".pem" 2>/dev/null Check browser history for DuckDNS, Backblaze, IONOS usage grep -r "duckdns.org|backblaze.com|ionos" ~/.bash_history ~/.zsh_history /home//.bash_history Examine command history for unusual activity cat ~/.bash_history | tail -100
Windows – Forensic Artifacts:
Check PowerShell history for credential exposure
Get-Content (Get-PSReadlineOption).HistorySavePath | Select-String -Pattern "password|credential|login|api"
Search for SSH keys in user profiles
Get-ChildItem -Path C:\Users\.ssh -Recurse -ErrorAction SilentlyContinue
Check browser history for free-tier service usage (Chrome)
Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" -ErrorAction SilentlyContinue | ForEach-Object {
SQLite query would be required for full extraction
Write-Host "Found Chrome history at: $_.FullName"
}
- Defensive Countermeasures: Detecting VPN-Mesh Persistence in Your Environment
The Poisson case demonstrates that traditional C2 takedowns are no longer sufficient remediation. Defenders must implement detection strategies for unauthorized VPN mesh deployments, SSH reverse tunnels, and secondary remote access channels. Cato CTRL researchers recommend generating alerts for OpenSSH server deployment on workstations, monitoring for Tailscale VPN activity on systems where it is not expected, and tracking suspicious scheduled tasks running with elevated privileges.
Step-by-Step Guide – Building Detection Rules for VPN-Mesh Persistence:
SIEM Query – Detect Tailscale Installation (Splunk/Elastic):
index=windows EventCode=4688 (NewProcessName="msiexec.exe" OR NewProcessName="tailscale.exe") AND CommandLine="Tailscale" | stats count by ComputerName, User, CommandLine | where count > 0
Linux Auditd Rule – Monitor SSH Authorized_Keys Modifications:
Add to /etc/audit/rules.d/audit.rules -w /root/.ssh/authorized_keys -p wa -k ssh_key_mod -w /home//.ssh/authorized_keys -p wa -k ssh_key_mod -w /etc/ssh/sshd_config -p wa -k ssh_config_mod Reload auditd auditctl -R /etc/audit/rules.d/audit.rules
Windows Event Log Monitoring – Detect OpenSSH Installation:
Enable auditing for service installation
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
Query Event Log for OpenSSH installation
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Where-Object {$_.Message -like "OpenSSH"} | Select-Object TimeCreated, Message
Network Detection – Identify Tailscale Traffic:
Look for Tailscale's UDP port 41641 (WireGuard) and TCP 443 for coordination tcpdump -i any -1 'udp port 41641 or (tcp port 443 and host 100.64.0.0/10)' Detect Tailscale interface creation ip monitor link | grep -i "tailscale" Check for outbound connections to Tailscale coordination servers ss -tupn | grep -E "100.100.100.100|login.tailscale.com"
5. Post-Incident Response: Dismantling Persistent Access Layers
When VPN-mesh-based persistence is identified, security teams must immediately locate and dismantle any active Tailscale or SSH mesh connections. Investigators should review all scheduled tasks and startup shortcuts for unauthorized persistence. A full credential reset is strongly recommended for all users, since keylogger activity creates a high likelihood of credential compromise.
Step-by-Step Guide – Comprehensive Incident Response Playbook:
Phase 1 – Isolation:
Linux – Block Tailscale outbound traffic iptables -A OUTPUT -p udp --dport 41641 -j DROP iptables -A OUTPUT -d 100.64.0.0/10 -j DROP Linux – Kill SSH sessions pkill -f "sshd:.@pts"
Windows – Block Tailscale via Windows Firewall New-1etFirewallRule -DisplayName "Block Tailscale Outbound" -Direction Outbound -Action Block -RemotePort 41641 -Protocol UDP New-1etFirewallRule -DisplayName "Block Tailscale IP Range" -Direction Outbound -Action Block -RemoteAddress 100.64.0.0/10 Windows – Terminate SSH sessions Stop-Service sshd -Force
Phase 2 – Eradication:
Linux – Remove Tailscale completely tailscale logout systemctl stop tailscaled apt-get purge tailscale -y or yum remove rm -rf /var/lib/tailscale
Windows – Remove Tailscale and OpenSSH
Get-WmiObject -Class Win32_Product | Where-Object {$<em>.Name -like "Tailscale"} | ForEach-Object { $</em>.Uninstall() }
Disable-WindowsOptionalFeature -Online -FeatureName OpenSSH.Server
Remove-Item -Path "C:\ProgramData\Tailscale" -Recurse -Force -ErrorAction SilentlyContinue
Phase 3 – Credential Reset and Monitoring:
Linux – Force password reset for all users for user in $(getent passwd | cut -d: -f1); do passwd -e $user; done Reset SSH host keys rm -f /etc/ssh/ssh_host_ dpkg-reconfigure openssh-server Debian/Ubuntu
Windows – Force password reset at next logon
Get-LocalUser | Where-Object {$<em>.Enabled -eq $true} | ForEach-Object { Set-LocalUser -1ame $</em>.Name -PasswordNeverExpires $false }
Phase 4 – Continuous Monitoring:
Deploy File Integrity Monitoring for SSH configuration AIDE example – initialize baseline aideinit Run daily checks aide --check Monitor for new Tailscale installations inotifywait -m -e create /usr/bin /usr/local/bin | grep -i tailscale
What Undercode Say:
- Key Takeaway 1: VPN-mesh-based persistence is not theoretical – it is already being used in active intrusions by low-skill actors. Defenders must expand their remediation scope beyond C2 takedowns to include identification and dismantling of resilient access layers.
-
Key Takeaway 2: The Poisson operation demonstrates that free-tier infrastructure and off-the-shelf tools are sufficient for successful credential theft campaigns. Organizations must implement detection for unauthorized VPN mesh deployments, SSH reverse tunnels, and secondary remote access channels, even in environments considered low-risk.
Analysis:
The Poisson case is a watershed moment for cybersecurity defense. For years, the industry has operated under the assumption that taking down a C2 server effectively neutralizes an intrusion. This incident proves otherwise. The attacker’s use of Tailscale – a legitimate enterprise-grade mesh VPN – as a persistence mechanism represents a paradigm shift in adversary tradecraft. Unlike traditional backdoors that rely on C2 communication, mesh-VPN persistence operates on a separate network layer, making it invisible to standard C2 detection tools and resistant to takedown efforts.
What makes this particularly concerning is the attacker’s skill level. Poisson is described as a junior operator with a school-hours schedule, who made numerous OPSEC mistakes and failed at roughly half of his attempts. Yet he still compromised four machines, harvested real credentials, and maintained access for over a month. If this is the floor of what an untrained operator can achieve using free tools, the ceiling for skilled, well-resourced threat actors is alarming.
Organizations must immediately reassess their incident response playbooks. C2 takedowns are no longer sufficient; security teams must actively hunt for unauthorized VPN mesh deployments, SSH authorized_keys modifications, and secondary remote access channels. This requires integrating network layer monitoring (for Tailscale/WireGuard traffic), endpoint detection (for OpenSSH Server installation on workstations), and cloud infrastructure visibility (for exposed storage buckets containing attacker artifacts). The Poisson operation also highlights the importance of credential hygiene – the keylogger harvested banking and email credentials, and the attacker’s exposure of SSH keys in a public bucket underscores the risks of credential reuse and poor OPSEC.
Prediction:
- -1 C2 takedowns as a primary remediation strategy will become increasingly ineffective as more threat actors adopt VPN-mesh-based persistence techniques. Organizations that fail to adapt their detection and response capabilities will face prolonged compromises.
-
+1 The cybersecurity industry will see rapid development of detection tools specifically designed to identify unauthorized Tailscale, ZeroTier, and other mesh VPN deployments on enterprise endpoints.
-
-1 Low-skill attackers will continue to leverage free-tier infrastructure and legitimate VPN services to bypass traditional security controls, lowering the barrier to entry for cybercrime.
-
+1 Blue teams will increasingly integrate network flow logging and VPN detection into their SIEM platforms, enabling real-time identification of unauthorized mesh network activity.
-
-1 The use of legitimate remote access tools like RustDesk as backup channels will become more prevalent, complicating detection efforts and blurring the line between authorized and malicious activity.
-
+1 Incident response playbooks will evolve to include mandatory checks for SSH authorized_keys modifications, Tailscale service installations, and scheduled task abuse as standard containment procedures.
-
-1 Organizations with limited security resources will remain vulnerable to these techniques, as they lack the visibility and tooling to detect VPN-mesh persistence.
-
+1 Threat intelligence sharing around VPN-mesh-based IOCs (Tailscale node IDs, SSH key fingerprints, storage bucket names) will improve, enabling faster detection and response across the industry.
▶️ Related Video (68% Match):
https://www.youtube.com/watch?v=3PkjPiN06Rc
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
