VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

Tailscale and OpenSSH Access Survived C2 Shutdown — What It Means

Доступ через Tailscale и OpenSSH пережил отключение C2 — что это значит

A recent case: an operator retained Tailscale/OpenSSH access despite Havoc C2 being disabled.

Summary:
— Cato recorded 339 commands and an operator log.
— Operator installed OpenSSH, joined a Tailscale network, configured an SSH key and a reverse -R tunnel.
— Havoc C2 was disabled, but access persisted; agents returned once infrastructure was restored.

Look for:
— OpenSSH on Windows, tailscale.exe, ssh -R tunnels;
— .vbs/wscript.exe in user folders, scheduled tasks (highest privileges), powercfg changes;
— DuckDNS blocks and hidden persistence layers.

Disabling C2 doesn't guarantee removal — hunt for covert return paths.

How do you verify there are no “silent” backdoors after C2 remediation?

#cybersecurity #infosec #Tailscale #OpenSSH

Latest comments

No comments yet.