Small French automotive business hit by network compromise
Incident
Summary
Hide ▲
Show ▼
The small French automotive business suffered a credential-theft intrusion that exposed banking and email access and preserved attacker persistence after the primary C2 went offline. The attacker also installed OpenSSH Server and Tailscale on April 7 to keep a separate way back in. When the Havoc server returned on April 26, the agent reconnected automatically and the activity continued through May 1.
Timeline
-
17.06.2026 19:00 1 articles · 4h ago
Poisson installs OpenSSH Server and Tailscale for alternate access
Technical Analysis UpdateOn April 7, Poisson installed OpenSSH Server and Tailscale on the victim's machine, joined it to a private Tailscale network, and set up key-based SSH plus a reverse tunnel so he could keep reaching the affected French automotive business without relying on Havoc.
Show sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00
-
17.06.2026 19:00 1 articles · 4h ago
Havoc goes offline but the Tailscale path keeps access alive
Campaign Scope UpdateThe next day, Havoc went offline, but the separate Tailscale path kept Poisson connected to the affected French automotive business's machine, so the loss of the C2 did not end access.
Show sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00
-
17.06.2026 19:00 1 articles · 4h ago
Havoc agents reconnect automatically after the C2 returns
Campaign Scope UpdateOn April 26, the Havoc infrastructure came back and the agents reconnected automatically, letting Poisson resume activity against the affected French automotive business without re-compromise.
Show sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00
-
17.06.2026 19:00 1 articles · 4h ago
Poisson deletes files and goes quiet on the affected French automotive business's machine
Campaign Scope UpdateOn May 1, Poisson deleted 17 files and went quiet on the affected French automotive business's machine after the observed command activity and credential-harvesting work.
Show sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00
-
17.06.2026 19:00 2 articles · 4h ago
Cato CTRL discloses the Poisson intrusion into a small French automotive business
Initial DisclosureOn June 17, 2026, Cato CTRL disclosed Poisson's intrusion into a small French automotive business, describing a keylogger, stolen banking and email credentials, and the separate OpenSSH Server and Tailscale persistence path after the Havoc C2 went offline.
Show sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline — thehackernews.com — 17.06.2026 19:00