A documented case demonstrates that a low-sophistication attacker sustained access inside a compromised Windows environment for 18 days after the primary C2 framework (Havoc) was taken offline, by deploying parallel persistence using OpenSSH for Windows and Tailscale mesh VPN alongside RustDesk, DuckDNS dynamic DNS, and Backblaze B2. The primary operational lesson is that C2 disruption and malware removal are not equivalent to remediation when attackers embed using legitimate commercial tools that blend with authorized traffic.