216.73.216.86

Operation Poisson – Analyzing a Cybercriminal’s Entire Operation

· Published 19/06/2026 13:24

Export JSON

Essential information

Published
19/06/2026 13:24
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
credential-theft fileless-attack france havoc havoc-c2 keylogger openssh poisson rustdesk tailscale vpn-mesh-persistence
Related entities
13 indicators, 6 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware

Description

A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python to harvest banking and email credentials. The operation leveraged free-tier infrastructure including C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed and VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.

External references