Back to Insights
Regulation5 min read18 June 2026

How a Junior Hacker Kept Access to a French Auto Firm Long After His C2 Server Went Dark

A commodity intrusion at a small French automotive business exposed a gap most incident-response playbooks still miss: killing the command-and-control beacon does not end the incident if the attacker already installed OpenSSH and Tailscale.

PN
Priya NatarajanCompliance & Risk Analyst
Photoreal editorial scene: a dimly lit automotive workshop office at night, a single computer workstation glowing with a

A French automotive business suffered a network intrusion carried out by what investigators assess was a junior, French-speaking threat actor operating a Havoc command-and-control framework — and the most instructive part of the case is not the initial compromise but what happened after the C2 server went offline.

What Happened

The attacker's opening moves were unremarkable. A keylogger ran on at least one endpoint. Banking credentials were harvested. Email credentials followed. This is the kind of low-sophistication intrusion that fills IR queues every week. Nothing about it would cause an experienced analyst to look twice.

Then, before the Havoc infrastructure went dark, the operator installed two legitimate, widely trusted tools on a victim machine: OpenSSH and Tailscale. Both applications are cryptographically signed. Both are in routine enterprise use worldwide. Neither trips a generic EDR alert on sight. Together, they formed a parallel access channel that required no active C2 infrastructure whatsoever.

When the Havoc server went offline the following day, the attacker still had a working path back into the network. The containment the victim may have believed they achieved was incomplete.

Why Legitimate Tools Make the Best Back Doors

OpenSSH's Windows port is published and signed by Microsoft. Tailscale operates over WireGuard and authenticates through a centralized control plane. Neither is malware. That is the point.

Traditional detection logic asks whether software is malicious. These tools are not. They pass allow-listing, they pass signature checks, and they generate traffic that looks like routine remote administration. For a junior operator with limited tradecraft, installing two trusted binaries is both cheap and effective. The Verizon 2024 Data Breach Investigations Report found that 68 percent of breaches involved a non-malware element — credential abuse, remote access misuse, or living-off-the-land techniques — precisely because those paths generate less signal than a novel implant.

Detection engineers need a different question: *Why is OpenSSH server running on a finance workstation that has no documented need for SSH?* The installation event, not the binary itself, is the indicator.

The Disclosure Clock Problem

This case creates a real compliance headache that counsel and security operations teams should think through carefully.

Under the SEC's final cybersecurity disclosure rule at 17 CFR 229.106 — Item 1.05 of Form 8-K — a public company must file within four business days of determining an incident is material. That clock is tied to the materiality determination, not to the date malware was removed. An organization that scopes the intrusion to the Havoc beacon, evicts the beacon, and declares the incident closed may discover weeks later that a live Tailscale tailnet membership and an SSH daemon extended unauthorized access far past the declared containment date. The materiality determination then plausibly resets — and the disclosure window re-opens.

The same scoping risk applies under CIRCIA. CISA published its proposed reporting rule on April 4, 2024, at 89 Fed. Reg. 23644. The proposed definition of a "covered cyber incident" is broad enough that persistent unauthorized access through a legitimate remote-administration tool would qualify. Comments closed July 3, 2024; a final rule has not yet been published. Organizations operating in critical infrastructure sectors should not assume that a narrow read of incident scope will satisfy the eventual final requirements.

EU operators face the same problem under NIS2. Article 23 requires a 24-hour early warning and a 72-hour incident notification to the relevant national CSIRT. Member State transpositions vary, but national authorities are unlikely to accept an argument that dwell time via a Tailscale node does not extend the incident timeline.

The Control That Failed — and What It Reveals

This intrusion did not succeed because the attacker was skilled. It succeeded because of a gap in software-inventory and endpoint-visibility hygiene. No control flagged the installation of a VPN client and an SSH daemon on a workstation that had no business reason to run either. That is an identity and endpoint governance failure, not a sophisticated evasion technique.

Security awareness training plays a direct role here: employees who understand that unsanctioned software installations — even signed, legitimate tools — represent an attack vector are more likely to report anomalies and less likely to ignore unusual prompts. Organizations that treat awareness training as a checkbox exercise rather than a behavior-change program routinely find these gaps in post-incident reviews. Train2Secure's curriculum covers exactly this class of living-off-the-land technique, giving non-technical staff the vocabulary to recognize and escalate suspicious activity.

Beyond awareness, defenders need four concrete procedural changes.

Inventory Tailscale Proactively

The Tailscale control plane is centralized. Enterprise administrators can query which devices hold auth keys and which tailnets they have joined. Any unmanaged Tailscale installation on a corporate endpoint should be treated as an indicator requiring immediate investigation, not filed under shadow IT and resolved at the next patch cycle.

Alert on OpenSSH Server Installations on Windows

Create a detection rule for `sshd` process creation on Windows endpoints. Pair it with a software-installation alert for the OpenSSH Server optional feature. The alert should fire on installation, not on first connection — by the time inbound SSH traffic appears, the access channel already exists.

Rewrite Incident-Scoping Checklists

Add an explicit question to every IR scoping procedure: *Was any legitimate remote-access tooling installed on any endpoint during the confirmed or suspected dwell period?* If yes, the containment date is not the date the beacon died. It is the date the last unauthorized access path was verified as removed.

Treat Tailnet Membership as a Persistence Mechanism

Incident handlers should add Tailscale auth-key enumeration and tailnet-membership review to their standard containment checklist, alongside the usual credential-rotation and session-revocation steps.

What Defenders and Regulators Should Take Away

"The junior operator's trick was not clever. It was cheap, and it was effective," one analyst reviewing the case noted. Regulators will not grade on difficulty. The SEC, CISA, and EU national CSIRTs do not reduce their disclosure expectations because the attacker was unsophisticated.

Organizations that scope incidents narrowly — and close cases when the obvious malware is gone — are increasingly exposed to regulatory findings that the incident window was longer than reported. Closing that gap requires endpoint visibility, accurate software inventory, and IR procedures that account for the full range of persistence mechanisms, not just the ones that look like malware.

If your team wants to benchmark its detection and awareness posture against current threat patterns, Train2Secure's pricing page outlines program options scaled to organizations of every size. A free trial is also available with no credit card required.

How this could have been prevented

  • Implement endpoint detection rules that alert on the installation of remote-access tools — not just on known malware signatures — so OpenSSH and Tailscale installations on non-server workstations generate immediate tickets.
  • Audit software inventory continuously and treat any unmanaged VPN or SSH daemon as an incident indicator requiring investigation, not a shadow-IT problem to schedule for later.
  • Train employees to recognize and report unsanctioned software installations: staff who understand that signed, legitimate tools can be weaponized are a real detection layer, not just a compliance checkbox.

Train2Secure's security-awareness programs cover living-off-the-land techniques and help your team build the instincts to catch exactly this class of threat before it extends your incident window.

Start free — no card required

Frequently asked questions

Why does installing Tailscale and OpenSSH give an attacker persistent access even after the C2 is shut down?

Both tools are legitimate, signed applications that operate independently of any command-and-control framework. Tailscale authenticates through its own control plane; OpenSSH listens for inbound connections over standard SSH. Once installed, both remain active after the original malware is removed unless specifically identified and uninstalled.

Does this type of incident trigger SEC 8-K disclosure requirements?

It can. Under 17 CFR 229.106, the four-business-day filing clock starts at the materiality determination, not at initial detection. If an organization declares containment when the beacon is evicted but a Tailscale node or SSH daemon remains active, the unauthorized access window — and the materiality determination — may extend well past the original containment date.

How should detection teams identify unauthorized OpenSSH or Tailscale installations?

Alert on the installation event itself: the enabling of the OpenSSH Server optional feature on Windows, or the creation of a Tailscale process on any endpoint without an approved software record. Query the Tailscale control plane regularly to enumerate unmanaged device enrollment in corporate tailnets.

What should incident responders add to their containment checklists based on this case?

Add an explicit step asking whether any legitimate remote-access software was installed during the dwell period. If yes, enumerate and remove it before declaring containment. Also revoke any Tailscale auth keys associated with affected endpoints and rotate SSH host keys and authorized-keys files.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress