A French-speaking threat actor breached a small French automotive business and deployed a keylogger to harvest banking and email credentials. The attacker then executed a persistence technique that sidestepped traditional command-and-control infrastructure.
Before his Havoc C2 server went offline, the attacker installed OpenSSH and Tailscale on the compromised machine. This dual-layer approach created a backup access channel independent of the primary C2 infrastructure. Tailscale, a legitimate zero-trust VPN service, paired with OpenSSH provided encrypted remote access that did not depend on the botnet's command server remaining operational.
The technique reflects operational security thinking uncommon in lower-tier attackers. Rather than relying solely on a single C2 channel, the actor built redundant access that persisted after the Havoc server went dark. OpenSSH offers standard SSH connectivity, while Tailscale creates a private mesh network between authenticated devices. An attacker using both tools gains flexible re-entry options: direct SSH connections or VPN-based access through Tailscale's infrastructure.
The compromise exposed a critical gap in endpoint monitoring. Many organizations focus detection efforts on known malware signatures and C2 traffic patterns. Legitimate tools like OpenSSH and Tailscale generate less suspicion, particularly when installed on systems where development tools or remote access are commonplace.
This case demonstrates why network access logs, SSH key audits, and VPN authentication records require continuous review. The attacker's installation of these tools left forensic traces. SSH key generation timestamps and Tailscale account creation events create a timeline investigators can follow.
For the automotive business, recovery required identifying all persistence mechanisms, not just removing the botnet. Defenders needed to audit SSH authorized_keys files, revoke Tailscale accounts, and review outbound VPN connections. This multi-layered