Cybersecurity researchers have detailed a real-world intrusion in which a relatively inexperienced threat actor maintained long-term access to a victim’s network by deploying legitimate remote-access tools before losing control of his primary command-and-control infrastructure.
The incident, analyzed by security researchers at Cato Networks, involved a French-speaking attacker who compromised a small automotive business in France, stole sensitive credentials, and established multiple persistence mechanisms that allowed continued access even after his malware infrastructure went offline.
Attack Focused on Credential Theft
According to researchers, the attacker targeted banking accounts, email credentials, and online services used by the victim organization. The operation relied on a combination of malware, remote-access tools, and persistence techniques designed to keep infected systems under the attacker’s control for extended periods.
Investigators tracked more than 300 commands executed over a 33-day period, providing an unusually detailed view of the intrusion lifecycle and the operator’s activities.
Malware Operated Largely in Memory
The attack chain reportedly began with a staged malware deployment process that minimized traces on the victim’s hard drive. A scripted loader downloaded and launched additional components directly in memory, helping the malware avoid traditional file-based detection methods.
The attacker also attempted to gain elevated privileges on infected systems, allowing broader access to operating system functions and sensitive user data.
To strengthen persistence, the operator created scheduled tasks, injected code into legitimate system processes, and deployed remote-management software as a backup communication channel.
OpenSSH and Tailscale Created a Hidden Access Path
Researchers identified a key turning point during the attack when the threat actor installed OpenSSH Server and Tailscale on a compromised machine.
By linking the device to a private virtual network and configuring secure remote access, the attacker established an alternative pathway that operated independently of the malware’s command-and-control servers.
This meant that even if the primary malicious infrastructure became unavailable, access to the victim’s system could continue uninterrupted through legitimate networking tools.
Access Survived C2 Infrastructure Failure
The effectiveness of this strategy became apparent when the attacker’s primary Havoc command-and-control server went offline shortly after the new remote-access setup was deployed.
Despite losing contact with the central malware infrastructure, the attacker retained control through the Tailscale network and SSH access. When the command-and-control server later returned online, infected systems automatically reconnected without requiring reinfection.
Researchers say this demonstrates a growing challenge for incident response teams that may focus on removing malware while overlooking alternative persistence mechanisms.
Legitimate Tools Increasingly Used by Cybercriminals
Security analysts noted that none of the tools involved were inherently malicious. Applications such as OpenSSH, Tailscale, and remote administration platforms are widely used by businesses for legitimate purposes.
However, threat actors are increasingly abusing trusted software to blend into normal network activity and evade detection.
Because these applications are digitally signed and commonly approved in enterprise environments, traditional security controls may not immediately identify their misuse.
Warning for Security Teams
Researchers emphasize that organizations should not assume that shutting down a command-and-control server or removing malware fully resolves an intrusion.
Instead, security teams are encouraged to investigate for secondary access mechanisms, unauthorized remote-access software, suspicious scheduled tasks, and unusual system configuration changes.
Among the indicators highlighted by researchers are unexpected installations of OpenSSH on workstations, unauthorized VPN software, reverse SSH tunnels, abnormal script execution, and system settings modified to prevent devices from entering sleep mode.
Persistence Remains a Major Threat
The case illustrates how even less-experienced attackers can maintain long-term access by combining publicly available tools with basic persistence techniques.
Cybersecurity experts warn that organizations must focus on identifying all avenues of unauthorized access during remediation efforts. Failure to remove secondary persistence mechanisms could allow attackers to regain control of systems long after the original malware infrastructure has been neutralized.
The findings underscore the importance of comprehensive incident response strategies that address not only malware removal but also the broader ecosystem of tools and configurations attackers use to remain hidden within compromised environments.
