A relatively inexperienced French-speaking attacker broke into a small French automotive business, planting a keylogger that captured banking and email credentials. But the incident stands out for an unusual contingency measure taken just before the attacker's command-and-control (C2) server went offline.
Recognizing that his Havoc C2 server was about to become unavailable, the intruder installed OpenSSH and Tailscale on the victim's machine. This created a direct, independent access channel that bypassed the C2 entirely, allowing him to maintain a foothold even after the primary command server went dark the next day. The move suggests a level of operational planning uncommon for a junior threat actor.
The attack followed a typical initial compromise, with the keylogger deployed to harvest sensitive credentials from the automotive business. However, the pivot to legitimate tools like OpenSSH and Tailscale for persistence represents a novel twist, as these tools are not typically flagged by standard security monitoring. Tailscale, a WireGuard-based VPN service, allowed the attacker to establish a secure tunnel to the victim network without relying on a traditional C2 infrastructure.
No indicators of compromise or specific CVE identifiers have been publicly associated with this attack, and it appears to be an isolated incident targeting a single organization. The use of commercial and open-source tools for backdoor access underscores the growing challenge of distinguishing malicious activity from legitimate administrative actions. Security teams are advised to monitor for unexpected installations of remote access tools, particularly in environments where they are not normally used.
Attribution points to a French-speaking actor, but no specific threat group has been named. The incident highlights how even low-skilled adversaries are adapting their techniques, blending commodity malware with legitimate software to evade detection and ensure persistence.