A French-speaking attacker broke into a small French automotive business, stole banking and email credentials, and kept access even after his command-and-control server went offline, according to a technical analysis by Cato Networks. The company said it captured 339 commands over 33 days.
KEY FACTS
- Target A small French automotive business was hit by an intruder known as Poisson.
- Data sought The attacker focused on banking logins, email passwords and government portal credentials.
- Persistence OpenSSH and Tailscale were installed on a victim machine to create an access path outside the C2 server.
- Scope Researchers said the operator compromised four machines over 33 days.
- Tradecraft The operation relied on free or low-cost services, including DuckDNS, Backblaze B2 and an IONOS VPS.
The analysis said the malware chain started with a VBScript stager, a PowerShell loader and a .NET loader that launched Havoc’s Demon agent in memory. For elevation, the attacker used a normal Windows consent prompt and relied on repeated attempts rather than a hidden bypass.
Researchers said the operator also set up a scheduled task, injected shellcode into Explorer.exe and used a RustDesk build as a backup channel. A 70-line Python keylogger captured keystrokes locally, and the attacker later copied the file by hand.
On April 7, the attacker installed OpenSSH Server and Tailscale, joined the victim machine to a private mesh network and created a reverse tunnel. The next day, the C2 infrastructure went offline, but access remained in place. When the C2 returned on April 26, the agents reconnected automatically.
The report said the operator later checked smart-card and certificate stores, ran two unknown programs from a file named Thales.zip and deleted 17 files before going quiet on May 1. It said there was no sign of ransomware, lateral movement or file theft beyond credential harvesting.
WHY IT MATTERS
The case shows that taking down a command-and-control server may not remove an intrusion if the attacker has already set up other access paths. It also shows how legitimate remote-access tools can be used to maintain entry on a Windows system without obvious malicious files.