The Hacker News reported on a Cato Networks investigation into a French-speaking attacker who compromised a small French automotive business.
The attacker planted a keylogger and stole banking and email credentials.
Cato Networks captured 339 attacker commands over 33 days after the operator left SSH keys and a playbook in an open storage bucket.
The malware chain used a VBScript stager, a PowerShell loader, a .NET loader, and Havoc’s Demon agent running mostly in memory.
The attacker attempted privilege elevation using Start-Process -Verb RunAs and established persistence with a scheduled task running at every logon with highest privileges.
The attacker injected shellcode into Explorer.exe and used a custom RustDesk build as a backup channel.
Before the command-and-control server went offline, the attacker installed OpenSSH Server and Tailscale on a victim machine, joined it to a private Tailscale network, configured key-based SSH, and created a reverse tunnel.
When the Havoc command-and-control infrastructure went offline, the Tailscale and OpenSSH path preserved attacker access.
Cato recommended hunting for OpenSSH Server installations on Windows workstations, tailscale.exe on systems without a business need, ssh -R reverse tunnels, wscript.exe running VBS files from user staging folders, high-privilege scheduled tasks launching script interpreters, and powercfg changes that prevent sleep.
A recent Cato Networks investigation highlights a challenge many security teams continue to underestimate: removing malware infrastructure does not necessarily remove attacker access. The case also demonstrates how Tailscale persistence can help attackers maintain connectivity even after their primary command-and-control infrastructure is disrupted.
In the reported intrusion, the attacker maintained access to the environment even after their primary command-and-control (C2) channel became unavailable. Instead of relying solely on custom malware, they established alternative access paths using legitimate remote administration technologies, allowing persistence beyond the lifespan of the original attack infrastructure.
For enterprise defenders, this reinforces an important reality. Modern incident response cannot stop at disrupting malware communications or blocking known indicators of compromise. Security teams must also identify and eliminate unauthorized remote access mechanisms, persistence techniques, and trusted administrative tools that attackers may have deployed to survive remediation efforts.
The incident serves as a reminder that attackers do not always need sophisticated malware to remain inside a network. In many cases, legitimate tools and services can provide a more resilient and less conspicuous foothold than traditional command-and-control frameworks.
The attack followed a multi-stage execution chain designed to minimize detection and maintain flexibility throughout the intrusion. According to Cato Networks’ analysis, the infection began with a VBScript-based stager that launched PowerShell components, which then delivered a .NET loader responsible for deploying the Havoc Demon implant. Much of the malicious activity operated in memory, reducing the forensic artifacts typically associated with disk-based malware.
Once execution was established, the attacker focused on persistence and privilege escalation. The investigation observed attempts to elevate privileges using Windows’ Start-Process -Verb RunAs functionality, followed by the creation of scheduled tasks configured to run with the highest available privileges at user logon.
Additional persistence and evasion mechanisms included:
Shellcode injection into Explorer.exe to blend malicious activity with a trusted Windows process.
Deployment of a keylogger to capture credentials and user activity.
Installation of a custom RustDesk instance as an alternative remote-access channel.
Use of multiple execution layers to complicate detection and remediation efforts.
The most significant aspect of the intrusion emerged after the primary malware infrastructure became unavailable. Before the Havoc command-and-control environment went offline, the attacker installed OpenSSH Server and Tailscale on the compromised Windows system.
By connecting the endpoint to a private Tailscale network, enabling SSH key-based authentication, and configuring a reverse SSH tunnel, the attacker established an independent access path that no longer relied on the original command-and-control framework. This form of Tailscale persistence allowed access to survive even after the Havoc infrastructure became unavailable.
From a defensive perspective, this transition is particularly noteworthy because both OpenSSH and Tailscale are legitimate tools widely used for IT administration. Without visibility into process lineage, persistence mechanisms, and configuration changes, these installations can appear legitimate. As a result, distinguishing them from authorized administrative activity becomes more difficult.
Featured Resource
Hexnode IdP Solution Brief
Check out this solution brief for a quick glance into Hexnode IdP's capabilities.
How Hexnode Helps Detect and Respond to Similar Threats
Incidents like this highlight the need for security controls that extend beyond malware detection. Once attackers begin leveraging legitimate administrative tools such as Tailscale, OpenSSH, or RustDesk, organizations need visibility into endpoint activity, persistence mechanisms, and unauthorized software deployments rather than relying solely on traditional threat indicators.
Hexnode XDR can help security teams investigate and respond to suspicious activity across managed endpoints by providing endpoint visibility, threat investigation capabilities, and response actions such as device isolation when malicious behavior is identified. This becomes particularly valuable when investigating attacks that involve script-based execution, privilege escalation attempts, unauthorized remote-access software, or persistence mechanisms.
From a device management perspective, Hexnode UEM helps organizations reduce exposure by enforcing application governance and compliance policies across endpoints. IT teams can:
Monitor devices for the presence of unauthorized or unapproved applications.
Establish application allowlists and blocklists as part of compliance policies.
Maintain endpoint compliance across Windows environments.
Execute remote management and remediation actions on managed devices when suspicious activity is discovered.
Together, endpoint management and security visibility help organizations identify potentially unauthorized remote-access tools, investigate suspicious changes on affected systems, and accelerate remediation before attackers can establish long-term persistence.
Top 10 Signs Your Organization Has a Poor Digital Employee Experience (And What to Do About It)
Discover the 10 warning signs of poor digital employee experience and how proactive IT can eliminate the friction.
Conclusion
This incident demonstrates a critical lesson for security and IT operations teams: disrupting command-and-control infrastructure is not the same as fully remediating a compromised endpoint.
The attacker did not rely exclusively on malware to maintain access. By deploying legitimate remote administration technologies and establishing alternative access channels, they created persistence mechanisms capable of surviving the loss of their primary command-and-control environment. For defenders, this means incident response efforts must extend beyond blocking malicious domains, removing malware, or terminating active sessions.
Effective remediation requires a combination of:
Endpoint telemetry to uncover suspicious process activity and configuration changes.
Tool governance to identify and control unauthorized remote-access software.
Persistence hunting to detect scheduled tasks, remote access services, credential-based access paths, and other long-term footholds.
Device isolation and response capabilities to contain compromised systems before attackers can re-establish access.
As attackers increasingly blend legitimate administrative tools with traditional malware techniques, organizations need visibility into both malicious and seemingly legitimate activity. Cases involving Tailscale persistence illustrate why security teams must investigate legitimate remote-access tools with the same rigor applied to traditional malware artifacts.
Try Hexnode Free for 14 Days
Gain visibility into endpoint activity and respond faster to emerging security threats with Hexnode.
I’m a technical content writer at Hexnode who loves simplifying tech. I break down complex ideas, remove the fluff, and help readers clearly understand our product for what it actually is: simple, reliable, and built to solve real problems.