Disabling the control server no longer means completing the attack.
Normal hacking doesn’t always end with the disconnection of the control server. Cato CTRL specialists analyzed the work of a French-speaking attacker under the pseudonym Poisson for 33 days and found that even a novice operator on free services was able to gain a foothold in a foreign system so as to save access after falling its infrastructure.
The campaign lasted from March 30 to May 1, 2026. During this time, Poisson sent 339 commands from the Havoc server, attacked a small French company from the automotive industry and several individuals in France. To store tools, he used four Backblaze B storage, free DuckDNS and an inexpensive IONOS server in Berlin. The operator’s mistakes helped specialists to restore his actions: the attacker accidentally left SSH’s own keys and step-by-step notes in the open storage.
At first, the attack looked like a typical chain with malicious scripts and hidden code loading. A small VBScript script waited 120 seconds to bypass some of the automatic checks, then decrypted the PowerShell command and downloaded the main component. The malware sedi.dll was hidden by Agent Havoc Demon inside several layers of coding and running it without recording the main implant on the disk.
Poisson was fixed through the planned Windows tasks, the label in the startup folder and introduced code in Explorer.EXE. For the spare channel, he put a modified version of RustDesk with its own relay adjustment. Attempts to increase rights were rude: the Start-Process team -Verb RunAs simply called the standard Windows account control window. On one car, the user pressed “Yes” almost immediately, the other attacker took about a dozen attempts in two days.
The main goal was to steal the accounts. On April 2, Poisson installed a 70-line interceptor in Python, which recorded all key clicks into a local text file. There was no separate server to send data, automatic transmission too. The operator manually picked up the magazine through Havoc and checked the file four times in one day. To the third test, the program has already collected about 3000 characters.
The most dangerous step of Poisson made on the night of April 7. He installed the OpenSH and Tailscale server on the victim’s machine, then added an infected computer to its private network. Then he set up the entrance by key and the back tunnel SSH. Such a channel did not depend on Havoc, did not require open incoming ports and could work even after the main control server was disabled.
The next day, the Havoc server really stopped working. The command server and redirect hub disappeared on April 8, but access through Tailscale and SSH remained. When the infrastructure returned on April 26, 18 days later, the infected cars reconnected automatically. Re-calling was not needed: the planned tasks were started at each input, the SSH server continued to listen to the connections, and the Tailscale node remained active.
After the return of Poisson performed another 145 teams. On April 30, he picked up the key interceptor data four times in 40 minutes, ten times he launched certutil -scinfo and checked the information about certificates and smart cards. This set of actions is similar to finding data to log through the public key infrastructure. On the same day, he moved the Thales.zip file to the victim's car, launched what was found inside. The NET app, then downloaded from its vault 148-megabyate autonomous version of the same program. NET 8.0. What exactly did these applications in 32 minutes of work, experts did not establish.
Before leaving, the operator deleted 17 files, including artifacts related to Thales, source malicious components and data archives. He left the key interceptor. The last team was recorded on April 30 at 18:14 UTC, and on May 1, the control server was shut down again.
The Cato CTRL emphasizes that Poisson is not like a member of an advanced group. Its activity coincided with the school schedule, the infrastructure was built on free or cheap services, and masking errors were gross. He several times revealed the way to his own home folder, left the working instructions in the open repository and often failed his own commands. But even such a level was enough to compromise real machines, collect passwords and build a stable access channel.
For the defenders, the main conclusion is unpleasant: disconnecting the control server no longer means the completion of the attack. After the incident, you need to look for not only a malicious agent, but also backup access channels. On the workstations, it is worth checking whether OpenSSH Server is installed, an unexpected Tailscale launch, SSH reverse tunnels, suspicious Windows tasks with higher rights, launching VBS files from user directories and powercfg commands, which attackers do not allow the computer to fall asleep.
Poisson did not encrypt files, did not move over the network and did not put the miners. He was interested in bank passwords, mail and state portals, that is, everything that people introduce with their hands every day. That is why a small key interceptor, a planned task and a legitimate private virtual network in such a campaign were more dangerous than a loud malware. For small businesses and private users, such an attack means a direct risk of stealing money and access to important accounts.
Normal hacking doesn’t always end with the disconnection of the control server. Cato CTRL specialists analyzed the work of a French-speaking attacker under the pseudonym Poisson for 33 days and found that even a novice operator on free services was able to gain a foothold in a foreign system so as to save access after falling its infrastructure.
The campaign lasted from March 30 to May 1, 2026. During this time, Poisson sent 339 commands from the Havoc server, attacked a small French company from the automotive industry and several individuals in France. To store tools, he used four Backblaze B storage, free DuckDNS and an inexpensive IONOS server in Berlin. The operator’s mistakes helped specialists to restore his actions: the attacker accidentally left SSH’s own keys and step-by-step notes in the open storage.
At first, the attack looked like a typical chain with malicious scripts and hidden code loading. A small VBScript script waited 120 seconds to bypass some of the automatic checks, then decrypted the PowerShell command and downloaded the main component. The malware sedi.dll was hidden by Agent Havoc Demon inside several layers of coding and running it without recording the main implant on the disk.
Poisson was fixed through the planned Windows tasks, the label in the startup folder and introduced code in Explorer.EXE. For the spare channel, he put a modified version of RustDesk with its own relay adjustment. Attempts to increase rights were rude: the Start-Process team -Verb RunAs simply called the standard Windows account control window. On one car, the user pressed “Yes” almost immediately, the other attacker took about a dozen attempts in two days.
The main goal was to steal the accounts. On April 2, Poisson installed a 70-line interceptor in Python, which recorded all key clicks into a local text file. There was no separate server to send data, automatic transmission too. The operator manually picked up the magazine through Havoc and checked the file four times in one day. To the third test, the program has already collected about 3000 characters.
The most dangerous step of Poisson made on the night of April 7. He installed the OpenSH and Tailscale server on the victim’s machine, then added an infected computer to its private network. Then he set up the entrance by key and the back tunnel SSH. Such a channel did not depend on Havoc, did not require open incoming ports and could work even after the main control server was disabled.
The next day, the Havoc server really stopped working. The command server and redirect hub disappeared on April 8, but access through Tailscale and SSH remained. When the infrastructure returned on April 26, 18 days later, the infected cars reconnected automatically. Re-calling was not needed: the planned tasks were started at each input, the SSH server continued to listen to the connections, and the Tailscale node remained active.
After the return of Poisson performed another 145 teams. On April 30, he picked up the key interceptor data four times in 40 minutes, ten times he launched certutil -scinfo and checked the information about certificates and smart cards. This set of actions is similar to finding data to log through the public key infrastructure. On the same day, he moved the Thales.zip file to the victim's car, launched what was found inside. The NET app, then downloaded from its vault 148-megabyate autonomous version of the same program. NET 8.0. What exactly did these applications in 32 minutes of work, experts did not establish.
Before leaving, the operator deleted 17 files, including artifacts related to Thales, source malicious components and data archives. He left the key interceptor. The last team was recorded on April 30 at 18:14 UTC, and on May 1, the control server was shut down again.
The Cato CTRL emphasizes that Poisson is not like a member of an advanced group. Its activity coincided with the school schedule, the infrastructure was built on free or cheap services, and masking errors were gross. He several times revealed the way to his own home folder, left the working instructions in the open repository and often failed his own commands. But even such a level was enough to compromise real machines, collect passwords and build a stable access channel.
For the defenders, the main conclusion is unpleasant: disconnecting the control server no longer means the completion of the attack. After the incident, you need to look for not only a malicious agent, but also backup access channels. On the workstations, it is worth checking whether OpenSSH Server is installed, an unexpected Tailscale launch, SSH reverse tunnels, suspicious Windows tasks with higher rights, launching VBS files from user directories and powercfg commands, which attackers do not allow the computer to fall asleep.
Poisson did not encrypt files, did not move over the network and did not put the miners. He was interested in bank passwords, mail and state portals, that is, everything that people introduce with their hands every day. That is why a small key interceptor, a planned task and a legitimate private virtual network in such a campaign were more dangerous than a loud malware. For small businesses and private users, such an attack means a direct risk of stealing money and access to important accounts.
