Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
Essential information
- Published
- 19/06/2026 13:24
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential-theft fileless-attack france havoc havoc-c2 keylogger openssh poisson rustdesk tailscale vpn-mesh-persistence
- Related entities
- 13 indicators, 6 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware
Description
A comprehensive analysis of 339 commands issued by a French-speaking threat actor nicknamed 'Poisson' over 33 days, targeting a French automotive small business and four French individuals. The attacker utilized a multi-stage fileless attack deploying a 70-line Python keylogger to harvest banking and email credentials. The operation leveraged free-tier infrastructure including Havoc C2 framework, Backblaze B2 storage, and DuckDNS. Most significantly, the attacker installed OpenSSH and Tailscale VPN on victim machines, creating persistent access that survived C2 server takedown. When the C2 went offline for 18 days, the attacker's access remained intact through the VPN mesh, demonstrating that VPN-mesh-based persistence is actively used in real-world intrusions and that traditional C2 takedown is insufficient for remediation.