Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
Operation Poisson is a cybercriminal campaign by a French-speaking threat actor targeting a French automotive small business and individuals. The attacker used a multi-stage fileless attack with a Python keylogger to steal banking and email credentials. The operation leveraged free-tier infrastructure such as Havoc C2, Backblaze B2 storage, and DuckDNS. The attacker established persistent access by installing OpenSSH and Tailscale VPN on victim machines, enabling VPN mesh persistence that survived C2 server takedown. This persistence method allowed continued access even when the C2 was offline for 18 days, highlighting the insufficiency of traditional C2 takedown for remediation.
AI Analysis
Technical Summary
Operation Poisson involved 339 commands over 33 days by a French-speaking adversary targeting French victims. The attacker employed a fileless multi-stage attack deploying a 70-line Python keylogger to harvest credentials. The infrastructure used included Havoc C2 framework, Backblaze B2 cloud storage, and DuckDNS domains. Crucially, the attacker installed OpenSSH and Tailscale VPN to create a persistent VPN mesh network on compromised hosts, maintaining access even after the C2 infrastructure was taken offline for an extended period. This demonstrates real-world use of VPN mesh persistence techniques that evade traditional remediation efforts focused on C2 takedown.
Potential Impact
The attacker successfully harvested banking and email credentials from targeted victims. The use of OpenSSH and Tailscale VPN for persistence allowed the attacker to maintain long-term access despite C2 server takedown, increasing the difficulty of fully remediating the intrusion. This persistence mechanism enables stealthy and resilient control over victim machines, potentially facilitating ongoing data theft or further malicious activity.
Mitigation Recommendations
No official patch or fix is applicable as this is an attack campaign rather than a software vulnerability. Remediation requires thorough incident response including detection and removal of OpenSSH and Tailscale VPN installations used for persistence. Traditional C2 takedown alone is insufficient; defenders must identify and disrupt VPN mesh connections and other persistence mechanisms on compromised hosts. Monitoring for indicators of compromise such as the provided IPs, domains, and file hashes can aid detection.
Affected Countries
France
Indicators of Compromise
- ip: 217.154.162.45
- ip: 217.154.217.139
- domain: wawsenti.duckdns.org
- hash: 0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe
- hash: 1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6
- hash: 291cb1fd0f2709b4457447cbb87adacf5c36c1bcb0f8754524024d44174bb195
- hash: 3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60
- hash: aa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31
- hash: c79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7
- hash: f06e7e1a4363a01ba2a4fee2e28abdd623abf4194bda373f23ff0e151b5c2b45
- domain: pois43.s3.eu-central-003.backblazeb2.com
- domain: sentiwaw.s3.eu-central-003.backblazeb2.com
- domain: w456w5.s3.eu-central-003.backblazeb2.com
Operation Poisson – Analyzing a Cybercriminal’s Entire Operation
Description
Operation Poisson is a cybercriminal campaign by a French-speaking threat actor targeting a French automotive small business and individuals. The attacker used a multi-stage fileless attack with a Python keylogger to steal banking and email credentials. The operation leveraged free-tier infrastructure such as Havoc C2, Backblaze B2 storage, and DuckDNS. The attacker established persistent access by installing OpenSSH and Tailscale VPN on victim machines, enabling VPN mesh persistence that survived C2 server takedown. This persistence method allowed continued access even when the C2 was offline for 18 days, highlighting the insufficiency of traditional C2 takedown for remediation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Operation Poisson involved 339 commands over 33 days by a French-speaking adversary targeting French victims. The attacker employed a fileless multi-stage attack deploying a 70-line Python keylogger to harvest credentials. The infrastructure used included Havoc C2 framework, Backblaze B2 cloud storage, and DuckDNS domains. Crucially, the attacker installed OpenSSH and Tailscale VPN to create a persistent VPN mesh network on compromised hosts, maintaining access even after the C2 infrastructure was taken offline for an extended period. This demonstrates real-world use of VPN mesh persistence techniques that evade traditional remediation efforts focused on C2 takedown.
Potential Impact
The attacker successfully harvested banking and email credentials from targeted victims. The use of OpenSSH and Tailscale VPN for persistence allowed the attacker to maintain long-term access despite C2 server takedown, increasing the difficulty of fully remediating the intrusion. This persistence mechanism enables stealthy and resilient control over victim machines, potentially facilitating ongoing data theft or further malicious activity.
Mitigation Recommendations
No official patch or fix is applicable as this is an attack campaign rather than a software vulnerability. Remediation requires thorough incident response including detection and removal of OpenSSH and Tailscale VPN installations used for persistence. Traditional C2 takedown alone is insufficient; defenders must identify and disrupt VPN mesh connections and other persistence mechanisms on compromised hosts. Monitoring for indicators of compromise such as the provided IPs, domains, and file hashes can aid detection.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.catonetworks.com/blog/cato-ctrl-operation-poisson-analyzing-a-cybercriminals-entire-operation/"]
- Adversary
- Poisson
- Pulse Id
- 6a3526fcbaffc5909dd73ce4
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip217.154.162.45 | — | |
ip217.154.217.139 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainwawsenti.duckdns.org | — | |
domainpois43.s3.eu-central-003.backblazeb2.com | — | |
domainsentiwaw.s3.eu-central-003.backblazeb2.com | — | |
domainw456w5.s3.eu-central-003.backblazeb2.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0378a5ef51b008aa2d6b76bd44a0bf061339bc3b737a188ec82029444d4d18fe | — | |
hash1f00fd604bb18bbe3081f9ce8d741c4029d2a2125eb8888ac4e0d955938059d6 | — | |
hash291cb1fd0f2709b4457447cbb87adacf5c36c1bcb0f8754524024d44174bb195 | — | |
hash3b7642b0f84e83a36334c608655c6cb7aae774839a6a3488526b853d89830a60 | — | |
hashaa7ea19e34567458b4ee66a7cd274181764984bf32123f756a7fdc64d5857b31 | — | |
hashc79091ceae7cd592fc08e4854cda7c1182af762b6b126371cc604debdc995fc7 | — | |
hashf06e7e1a4363a01ba2a4fee2e28abdd623abf4194bda373f23ff0e151b5c2b45 | — |
Threat ID: 6a3529cef198dc38c119a2e6
Added to database: 6/19/2026, 11:36:46 AM
Last enriched: 6/19/2026, 11:49:57 AM
Last updated: 6/19/2026, 4:17:19 PM
Views: 56
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.