A low-skilled, French-speaking attacker compromised a small French automotive firm, deploying a keylogger to steal banking and email credentials. Crucially, before his command-and-control infrastructure went offline, he installed OpenSSH and Tailscale on the victim machine to create a resilient, C2-independent backdoor. This technique demonstrates how legitimate networking tools can be abused to maintain persistent access even after primary attacker infrastructure is taken down.

Security Architect’s Take: Audit your environment for unauthorised installations of legitimate remote-access and mesh-networking tools such as Tailscale, ZeroTier, and OpenSSH — these can bypass traditional C2 detection entirely. Implement application allowlisting and egress filtering to prevent unapproved software from establishing outbound tunnels, and alert on new SSH daemon processes or VPN agent installations on endpoints.

Original advisory: Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline