Tailscale and OpenSSH Access Survived C2 Shutdown — What It Means

A recent case: an operator retained Tailscale/OpenSSH access despite Havoc C2 being disabled.
Summary:
— Cato recorded 339 commands and an operator log.
— Operator installed OpenSSH, joined a Tailscale network, configured an SSH key and a reverse -R tunnel.
— Havoc C2 was disabled, but access persisted; agents returned once infrastructure was restored.
Look for:
— OpenSSH on Windows, tailscale.exe, ssh -R tunnels;
— .vbs/wscript.exe in user folders, scheduled tasks (highest privileges), powercfg changes;
— DuckDNS blocks and hidden persistence layers.
Disabling C2 doesn't guarantee removal — hunt for covert return paths.
How do you verify there are no “silent” backdoors after C2 remediation?
#cybersecurity #infosec #Tailscale #OpenSSH


Latest comments
No comments yet.