Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

A threat actor targeted a small French automotive business, successfully deploying a keylogger to exfiltrate banking and email credentials. The attacker's notable tactic involved installing OpenSSH and Tailscale on a compromised victim machine before their primary command-and-control (C2) server, identified as Havoc, went offline. This pre-emptive installation created a persistent access vector that bypassed the defunct C2 infrastructure. The attacker, described as French-speaking, utilized this backdoor to maintain access to the victim's network even after the Havoc C2 server ceased operations. This method highlights a sophisticated approach to ensuring continued access in the event of C2 server failure, moving beyond traditional C2 reliance. The specific details of the breach and the attacker's subsequent actions were detailed in a security analysis, underscoring the evolving tactics of cybercriminals.