Attacker Exploits Tailscale and OpenSSH for Persistent Access in French Automotive Business Breach
Executive Summary
In April 2026, a French-speaking attacker, identified as 'Poisson,' infiltrated a small French automotive business. Utilizing a VBScript stager and PowerShell loader, he deployed the Havoc Demon agent in memory, avoiding disk detection. For persistence, he established scheduled tasks and injected shellcode into Explorer.exe. Notably, before his command-and-control (C2) server went offline, Poisson installed OpenSSH and Tailscale on a compromised machine, creating an independent access route. This allowed him to maintain control even after the C2 server was deactivated, leading to the theft of banking and email credentials.
This incident underscores the evolving tactics of cybercriminals who leverage legitimate tools like Tailscale and OpenSSH to establish resilient backdoors. The use of such tools complicates detection and remediation efforts, highlighting the need for organizations to monitor for unauthorized installations and unusual network configurations.
Why This Matters Now
The incident highlights the increasing use of legitimate tools by attackers to maintain persistent access, making detection and remediation more challenging. Organizations must enhance monitoring of authorized software installations and network configurations to prevent similar breaches.
Attack Path Analysis
A French-speaking attacker compromised a small French automotive business by planting a keylogger to steal banking and email credentials. They escalated privileges to install OpenSSH and Tailscale on the victim's machine, enabling persistent access. The attacker moved laterally within the network to access additional systems. They established command and control through Tailscale, bypassing traditional C2 channels. Sensitive data was exfiltrated using encrypted channels. The attack resulted in significant data loss and potential financial impact.
Kill Chain Progression
Initial Compromise
Description
The attacker gained initial access by planting a keylogger to steal banking and email credentials.
Related CVEs
CVE-2026-35414
CVSS 8.1A vulnerability in OpenSSH allows unauthorized users to gain full root shell access due to mishandling of certificate principals containing comma characters.
Affected Products:
OpenBSD OpenSSH – < 9.9p2
Exploit Status:
exploited in the wildCVE-2022-41924
CVSS 8.8A remote code execution vulnerability in the Tailscale Windows client allows malicious websites to reconfigure the daemon and execute code.
Affected Products:
Tailscale Tailscale Windows Client – < 1.32.3
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Input Capture: Keylogging
Compromise Host Software Binary
Valid Accounts
Account Manipulation
External Remote Services
Encrypted Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Governance
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Direct target as French automotive business was compromised via infostealer, with banking credentials stolen and persistent SSH/Tailscale backdoors installed for continued access.
Banking/Mortgage
Banking credentials were specifically targeted and stolen, requiring enhanced egress security and encrypted traffic monitoring to prevent financial data exfiltration attacks.
Information Technology/IT
Attack leveraged OpenSSH and Tailscale for persistence, bypassing traditional C2 detection, necessitating zero trust segmentation and east-west traffic security controls.
Computer/Network Security
Demonstrates sophisticated persistence techniques using legitimate remote access tools, requiring enhanced threat detection capabilities and multicloud visibility for covert channel identification.
Sources
- Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offlinehttps://thehackernews.com/2026/06/junior-hacker-used-tailscale-and.htmlVerified
- OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 Yearshttps://www.securityweek.com/openssh-flaw-allowing-full-root-shell-access-lurked-for-15-years/Verified
- CVE-2022-41924: Tailscale Windows Client RCE Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2022-41924/Verified
- CVE-2026-32045https://mondoo.com/vulnerability-intelligence/vulnerability/CVE-2026-32045Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial credential theft, it would likely limit the attacker's subsequent network access, reducing the potential for further exploitation.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to use elevated privileges to access other network segments, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely restrict the attacker's ability to move laterally, thereby limiting access to other systems within the network.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely detect and limit unauthorized command and control communications, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by controlling and monitoring outbound traffic.
Aviatrix CNSF would likely reduce the overall impact of the attack by limiting the attacker's reach and ability to exfiltrate sensitive data.
Impact at a Glance
Affected Business Functions
- Financial Transactions
- Email Communications
Estimated downtime: 3 days
Estimated loss: $50,000
Banking and email credentials of the company were compromised.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security to monitor and control internal communications.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Apply Threat Detection & Anomaly Response to identify and mitigate persistent threats.
